Category Archives: Security

HOWTO Secure iSCSI Luns Between Debian Linux 7.1 and NetApp Storage with Mutual CHAP

28 Saturday Sep 2013

Posted by in iSCSI, Linux, NetApp, Security

Leave a comment

Tags

, , ,

This post demonstrates how to enable two-way or mutual CHAP on iSCSI luns between Debian Linux 7.1 and NetApp storage. The aggregate, lun and disk sizes are small in this HOWTO to keep it simple.

1) Install open-iscsi on your server.
> apt-get install open-iscsi
> reboot (don’t argue with me, just do it!)

2) Display your server’s new iscsi initiator or iqn nodename.
> cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1993-08.org.debian:01:e6d4ee61d916

3) On the NetApp filer, create the volume that will hold the iscsi luns. This command assumes you have aggregrate aggr1 already created. If not use an aggregate that has enough room for your volume.
netapp> vol create MCHAPVOL aggr1 10g

4) Create the lun in the volume.
netapp> lun create -s 5g -t linux /vol/MCHAPVOL/DEB71_iSCSI_MCHAP_01

5) Create an igroup and add the Linux iscsi nodename or iqn from step 2 above to it.
netapp> igroup create -i -t linux ISCSI_MCHAP_DEB71
netapp> igroup add ISCSI_MCHAP_DEB71 iqn.1993-08.org.debian:01:e6d4ee61d916
netapp> igroup show

ISCSI_MCHAP_DEB71 (iSCSI) (ostype: linux):
iqn.1993-08.org.debian:01:e6d4ee61d916 (not logged in)

6) Map the lun to the iscsi-group and give it lun ID 01.
netapp> lun map /vol/MCHAPVOL/DEB71_iSCSI_MCHAP_01 ISCSI_MCHAP_DEB71 01

7) Obtain the NetApp target nodename.
netapp> iscsi nodename
iqn.1992-08.com.netapp:sn.84167939

8) Set the CHAP secret on the NetApp controller.
netapp> iscsi security add -i iqn.1993-08.org.debian:01:e6d4ee61d916 -s chap -p MCHAPDEB71 -n iqn.1993-08.org.debian:01:e6d4ee61d916 -o NETAPPMCHAP -m iqn.1992-08.com.netapp:sn.84167939

netapp> iscsi security show

init: iqn.1993-08.org.debian:01:e6d4ee61d916 auth: CHAP Inbound password: **** Inbound username: iqn.1993-08.org.debian:01:e6d4ee61d916 Outbound password: **** Outbound username: iqn.1992-08.com.netapp:sn.84167939

9) On the server, edit your /etc/iscsi/iscsi.conf file and set the parameters below.  
> vi /etc/iscsi/iscsid.conf:
node.startup = automatic
node.session.auth.authmethod = CHAP
node.session.auth.username = iqn.1993-08.org.debian:01:e6d4ee61d916
node.session.auth.password = MCHAPDEB71
node.session.auth.username_in = iqn.1992-08.com.netapp:sn.84167939
node.session.auth.password_in = NETAPPMCHAP
discovery.sendtargets.auth.authmethod = CHAP
discovery.sendtargets.auth.username = iqn.1993-08.org.debian:01:e6d4ee61d916
discovery.sendtargets.auth.password = MCHAPDEB71
discovery.sendtargets.auth.username_in = iqn.1992-08.com.netapp:sn.84167939
discovery.sendtargets.auth.password_in = NETAPPMCHAP
> wq!

10) On the server, discover your iSCSI target (your storage system).
> iscsiadm -m discovery -t st -p 10.10.10.11
10.10.10.11:3260,1000 iqn.1992-08.com.netapp:sn.84167939

> iscsiadm -m node  (this should display the same as above)
10.10.10.11:3260,1000 iqn.1992-08.com.netapp:sn.84167939

11) On the server, manually login to the iSCSI target (your storage array).
> iscsiadm -m node –targetname “iqn.1992-08.com.netapp:sn.84167939” –login

Logging in to [iface: default, target: iqn.1992-08.com.netapp:sn.84167939, portal: 10.10.10.11,3260] (multiple)
Login to [iface: default, target: iqn.1992-08.com.netapp:sn.84167939, portal: 10.10.10.11,3260] successful.

On the NetApp storage console you should see the iSCSI sessions:
[iscsi.notice:notice]: ISCSI: New session from initiator iqn.1993-08.org.debian:01:e6d4ee61d916 at IP addr 10.10.10.203
[iscsi.notice:notice]: ISCSI: New session from initiator iqn.1993-08.org.debian:01:e6d4ee61d916 at IP addr 10.10.10.203

Verify the iSCSI session on the filer:
netapp> iscsi session show
Session 49
Initiator Information
Initiator Name: iqn.1993-08.org.debian:01:e6d4ee61d916
ISID: 00:02:3d:01:00:00
Initiator Alias: deb71

12) Stop and start the iscsi service on the server.
> service open-iscsi stop
Pause for 10 seconds and then run the next command.
> service open-iscsi start

[ ok ] Starting iSCSI initiator service: iscsid.
[….] Setting up iSCSI targets:
Logging in to [iface: default, target: iqn.1992-08.com.netapp:sn.84167939, portal: 10.10.10.11,3260] (multiple)
Login to [iface: default, target: iqn.1992-08.com.netapp:sn.84167939, portal: 10.10.10.11,3260] successful.
. ok
[ ok ] Mounting network filesystems:.

13) From the server , check your session.
> iscsiadm -m session -P 1

14) From the server, check the NetApp iSCSI details.
> iscsiadm –mode node –targetname “iqn.1992-08.com.netapp:sn.84167939” –portal 10.10.10.11:3260

15) From the server, find and format the new lun (new disk).
> cat /var/log/messages | grep “unknown partition table”
deb71 kernel: [ 1856.751777]  sdb: unknown partition table

> fdisk /dev/sdb

Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x07f6c360.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won’t be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Command (m for help): n
Partition type:
p   primary (0 primary, 0 extended, 4 free)
e   extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-10485759, default 2048): press enter
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-10485759, default 10485759): press enter
Using default value 10485759

Command (m for help): p
Disk /dev/sdb: 5368 MB, 5368709120 bytes
166 heads, 62 sectors/track, 1018 cylinders, total 10485760 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x07f6c360

Device Boot      Start     End               Blocks       Id  System
/dev/sdb1         2048    10485759     5241856   83  Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Command (m for help): q

16) On the server, create the Linux file system on the new partition.
> mkfs -t ext4 /dev/sdb1
mke2fs 1.42.5 (29-Jul-2012)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
327680 inodes, 1310464 blocks
65523 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1342177280
40 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

17) Verify the partition.
> blkid /dev/sdb1
/dev/sdb1: UUID=”afba2daf-1de8-4ab1-b93e-e7c99c82c054″ TYPE=”ext4″

18) Create the mount point and manually mount the directory.
> mkdir /newiscsilun
> mount /dev/sdb1 /newiscsilun
> df -h | grep newiscsilun
Filesystem Size  Used Avail Use% Mounted on
/dev/sdb1 5.0G   10M  4.7G   1% /newiscsilun

19) Add the new mount point to /etc/fstab.
> vi /etc/fstab
/dev/sdb1 /newiscsilun ext4 _netdev 0 0
> wq!

Note: the _netdev option is important so that it doesn’t try mounting the target before the network is available.

20) Test that it survives a reboot by rebooting the server. With the _netdev set, iscsi starts and your CHAP logins should take place before it attempts to mount. After the reboot, login and verify its mounted.

> df -h | grep newiscsilun
Filesystem Size  Used Avail Use% Mounted on
/dev/sdb1 5.0G   10M  4.7G   1% /newiscsilun

21) On the server you can check session stats.
> iscsiadm -m session -s
Stats for session [sid: 1, target: iqn.1992-08.com.netapp:sn.84167939, portal: 10.10.10.11,3260]
iSCSI SNMP:
txdata_octets: 69421020
rxdata_octets: 765756
noptx_pdus: 0
scsicmd_pdus: 365
tmfcmd_pdus: 0
login_pdus: 0
text_pdus: 0
dataout_pdus: 924
logout_pdus: 0
snack_pdus: 0
noprx_pdus: 0
scsirsp_pdus: 365
tmfrsp_pdus: 0
textrsp_pdus: 0
datain_pdus: 193
logoutrsp_pdus: 0
r2t_pdus: 924
async_pdus: 0
rjt_pdus: 0
digest_err: 0
timeout_err: 0
iSCSI Extended:
tx_sendpage_failures: 0
rx_discontiguous_hdr: 0
eh_abort_cnt: 0

22) As root, change permissions on /etc/iscsi/iscsid.conf. I’m not sure why they haven’t fixed this clear text CHAP password in a file issue so just make sure only root can read/write the file.
> chmod 600 /etc/iscsi/iscsid.conf

23) On the NetApp storage you can verify the Lun and the server’s session.
> lun show -v /vol/MCHAPVOL/DEB71_iSCSI_MCHAP_01
/vol/MCHAPVOL/DEB71_iSCSI_MCHAP_01      5g (5368709120)    (r/w, online, mapped)
Serial#: hoagPJtrPZCi
Share: none
Space Reservation: enabled
Multiprotocol Type: linux
Maps: ISCSI_MCHAP_DEB71=1

>  iscsi session show -v
Session 55
Initiator Information
Initiator Name: iqn.1993-08.org.debian:01:e6d4ee61d916
ISID: 00:02:3d:01:00:00
Initiator Alias: deb71

Session Parameters
SessionType=Normal
TargetPortalGroupTag=1000
MaxConnections=1
ErrorRecoveryLevel=0
AuthMethod=CHAP
HeaderDigest=None
DataDigest=None
ImmediateData=Yes
InitialR2T=No
FirstBurstLength=65536
MaxBurstLength=65536
Initiator MaxRecvDataSegmentLength=65536
Target MaxRecvDataSegmentLength=65536
DefaultTime2Wait=2
DefaultTime2Retain=0
MaxOutstandingR2T=1
DataPDUInOrder=Yes
DataSequenceInOrder=Yes
Command Window Size: 32

Connection Information
Connection 0
Remote Endpoint: 10.10.10.203:57127
Local Endpoint: 10.10.10.11:3260
Local Interface: e0a
TCP recv window size: 131400

Using cipher.exe on Windows to purge deleted files for good.

20 Saturday Jul 2013

Posted by in Security, Windows

Leave a comment

Tags

,

It’s well known that when you delete files and folders in Windows they are not technically deleted.  When you delete a file, the disk space used by these files is tagged as available for use. This allows the files to be reconstituted using various free recovery utilities such as SoftPerfect’s File Recovery or Piriform’s Recuva. The blocks must be overwritten to actually eliminate them completely.

Windows has a native utility named cipher.exe that can wipe those pointers and make sure the data is actually purged. Cipher.exe can overwrite all free space on your disk thus insuring files you have deleted and actually gone.

This is a safe utility. I have run this command many times over the years. You can also setup a scheduled task and run weekly to keep your systems clean. Launch a command prompt as administrator (right-click cmd.exe and select Run as administrator) and type the following:

c:\cipher /w:X where X is the drive letter you want to clean.

You can run this on your c:\ drive without any issues. Also note that the larger your drive, the longer this will take. For reference, a 1TB drive 3/4’s full took about 3 hours.

Example (this is on Windows 7):

C:\Windows\system32> cipher /w:c

To remove as much data as possible, please close all other applications while
running CIPHER /W.
Writing 0x00
………………………………………………………………………………………………………….
Writing 0xFF
…………………………………………………………………………………………………………..
Writing Random Numbers
…………………………………………………………………………………………………………..

C:\Windows\system32>

 

Further reading on cipher.exe options is available here:

http://technet.microsoft.com/en-us/library/cc771346(v=ws.10).aspx

Nessus now audits NetApp Data ONTAP

16 Tuesday Jul 2013

Posted by in Nessus, NetApp, Security

Leave a comment

Tags

,

From the Tenable blog post:

Nessus recently added capabilities to perform configuration and compliance audits in two major areas of the enterprise. First, Tenable added the ability to audit enterprise Cisco networking equipment, namely Cisco’s Nexus NX-OS. Then, we expanded and greatly enhanced support for auditing VMware vSphere and vCenter. Now, we’ve added support for auditing NetApp Data ONTAP storage devices. The new .audit is primarily based off the NetApp hardening guides (technical reports TR-3649 and TR-3996).

http://www.tenable.com/blog/nessus-now-secures-netapp-data-ontap

Install HP ArcSight Logger v5.3.1

08 Saturday Jun 2013

Posted by in HP, Linux, Security

Leave a comment

Tags

, ,

This is a follow-up post from a previous post here: http://slice2.com/2013/06/05/tweaking-the-hp-arcsight-logger-centos-vmware-appliance/

You can continue the installation with the post below. Once you get to the step to run the installer script, I have colored the answers in red text. The final post to be completed soon will show installation of connectors and Logger configuration.

Note: the default factory root password is arcsight.

1) Login as root and install man pages.
-> yum install man -y

2) Create user for services that cant run as root.
-> useradd -d /home/arcsvcadm -c “Arcsight Service Accoint” arcsvcadm
-> passwd arcsvcadm

3) Change hostname and set a static IP.
-> vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=<your hostname>
GATEWAY=<your gateway IP address>
-> wq!

-> vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=”eth0″
IPADDR=”<your IP address>”
NETMASK=”255.255.255.0″
BROADCAST=”<your broadcast address>”
IPV6INIT=”no”
ONBOOT=”yes”
TYPE=”Ethernet”
-> wq!

-> vi /etc/hosts
<your IP address> <your hostname> <your FQDN>
->wq!
-> reboot

4) Add another disk to the VM. Right-click VM and selet Edit Settings.
a) Click Add on the Hardware tab.
b) Select Hardrive and click Next.
c) Create a New Virtual Disk and click Next.
d) Edit your disk size (20 gigs is fine to test), whether think or thin and click Next.
e) Accept defaults on Advanced options and click Next.
f) Click Finish.
g) Wait a minute and reboot the VM.

5) Log in as root and copy the binary to the correct execution location.
-> cd /opt/arcsight/installers
-> ls -l
-rwxr—–. 1 arcsight arcsight 467865676 Apr 16 08:00 ArcSight-logger-5.3.1.6838.0.bin
-rwxr—–. 1 arcsight arcsight        67 Apr 16 08:00 ArcSight-logger-5.3.1.6838.0.bin.md5
-> cp ArcSight-logger-5.3.1.6838.0.bin /opt/arcsight/logger/

6) Run the installer.
-> cd /opt/arcsight/logger/
-> ./ArcSight-logger-5.3.1.6838.0.bin

Preparing to install…
Extracting the JRE from the installer archive…
Unpacking the JRE…
Extracting the installation resources from the installer archive…
Configuring the installer for this system’s environment…

Launching installer…
Graphical installers are not supported by the VM. The console mode will be used instead…
=========================================================================
ArcSight Logger 5.3 SP1                          (created with InstallAnywhere)
——————————————————————————-

Preparing CONSOLE Mode Installation…

=========================================================================
Introduction
————

InstallAnywhere will guide you through the installation of ArcSight Logger 5.3 SP1.

It is strongly recommended that you quit all programs before continuing with this installation.

Respond to each prompt to proceed to the next step in the installation.  If you want to change something on a previous step, type ‘back’.

You may cancel this installation at any time by typing ‘quit’.

PRESS <ENTER> TO CONTINUE: (pres enter)

=========================================================================
License Agreement
—————–

Installation and Use of ArcSight Logger 5.3 SP1 Requires Acceptance of the Following License Agreement:

END USER LICENSE AGREEMENT

PLEASE READ CAREFULLY: THE USE OF THE SOFTWARE IS SUBJECT TO THE TERMS AND
CONDITIONS THAT FOLLOW (“AGREEMENT”), UNLESS THE SOFTWARE IS SUBJECT TO A
SEPARATE LICENSE AGREEMENT BETWEEN YOU AND HP OR ITS SUPPLIERS.  BY
DOWNLOADING, INSTALLING, COPYING, ACCESSING, OR USING THE SOFTWARE, OR BY
CHOOSING THE “I ACCEPT” OPTION LOCATED ON OR ADJACENT TO THE SCREEN WHERE THIS
AGREEMENT MAY BE DISPLAYED, YOU AGREE TO THE TERMS OF THIS AGREEMENT, ANY
APPLICABLE WARRANTY STATEMENT AND THE TERMS AND CONDITIONS CONTAINED IN THE
“ANCILLARY SOFTWARE”  (as defined below). IF YOU ARE ACCEPTING THESE TERMS ON
BEHALF OF ANOTHER PERSON OR A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT AND
WARRANT THAT YOU HAVE FULL AUTHORITY TO BIND THAT PERSON, COMPANY, OR LEGAL
ENTITY TO THESE TERMS.  IF YOU DO NOT AGREE TO THESE TERMS, DO NOT DOWNLOAD,
INSTALL, COPY, ACCESS, OR USE THE SOFTWARE, AND PROMPTLY RETURN THE SOFTWARE
WITH PROOF OF PURCHASE TO THE PARTY FROM WHOM YOU ACQUIRED IT AND OBTAIN A
REFUND OF THE AMOUNT YOU PAID, IF ANY.  IF YOU DOWNLOADED THE SOFTWARE, CONTACT
THE PARTY FROM WHOM YOU ACQUIRED IT.

This Software may be provided to you by Electronic Delivery. “Electronic
Delivery” means any delivery of Software to you that is made solely by remote

PRESS <ENTER> TO CONTINUE: (press enter about 14 times to get to the end)

DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N): Y

Custom code execution Started…
Custom code execution Completed…
Custom code execution Started…
Custom code execution Completed…

=========================================================================
Choose Install Folder
———————

Provide a location for ArcSight Logger 5.3 SP1 that has a minimum of 30GB of storage available.

Where would you like to install?

Default Install Folder: /opt

ENTER AN ABSOLUTE PATH, OR PRESS <ENTER> TO ACCEPT THE DEFAULT
: /opt/arcsight/logger

INSTALL FOLDER IS: /opt/arcsight/logger
IS THIS CORRECT? (Y/N): y

=========================================================================
Select License Type
——————-

This installation package includes a trial license that can be used for a limited period to evaluate the product. For deploying in a production environment, you need a license file from HP.

Do you have license file for this installation?

1- No, use the trial license
->2- Yes

ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 1

=========================================================================
Pre-Install Summary
——————-

Please Review the Following Before Continuing:

Product Name:
ArcSight Logger 5.3 SP1

Install Folder:
/opt/arcsight/logger

PRESS <ENTER> TO CONTINUE: (press enter)

=========================================================================
Installing…
————-

[=================|=================|=================|=================]
[—————————————————————————-

=========================================================================
User Settings
————-

Due to product security requirements, certain Logger processes cannot be run as a root user. Therefore, a non-root user account is required even when you install Logger as a root user.

Enter a non-root user name that exists on this system. Optionally, enter an alternate HTTPS port.

NOTE: Once you press [Enter], you cannot change the entered values.

User Name (DEFAULT: ): arcsvcadm

HTTPS Port (DEFAULT: 443): 443

Custom code execution Started…
Custom code execution Completed…

=========================================================================
User Settings
————-

Choose if you want to run Logger as a system service.

NOTE: Once you press [Enter], you cannot change the entered value.

->1- Configure as a service
2- Configure as standalone

ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 1

=========================================================================
Locale Setting
————–

Select the Locale setting.
The Locale setting ensures that the user interface displays information such as date, time, numbers, and messages in the format and language appropriate for the selected country.

Once configured, Locale cannot be changed.

->1- English (United States)
2- Japanese (Japan)
3- Simplified Chinese
4- Traditional Chinese

ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 1

Custom code execution Started…
Custom code execution Completed…

=========================================================================
Begin Initialization
——————–

The installation of Logger software was successful…

Initialization will begin after pressing [Enter].  This may take several minutes.

PRESS <ENTER> TO CONTINUE: (press enter)

=========================================================================
Begin Configuration
——————-

The initialization of Logger software was successful…

Configuration of Logger will start after pressing [Enter].

The Configuration Complete screen is displayed once configuration is complete and Logger has started up.

PRESS <ENTER> TO CONTINUE: (press enter)

=========================================================================

Custom code execution Started…
Custom code execution Completed…

=========================================================================
Configuration Is Complete
————————-

Logger has started. Press [Enter] to close the installer.

Use this URL to access the Logger User Interface.

https://10.10.10.34:443/  (note – your URL will show your IP address)

PRESS <ENTER> TO CONTINUE: (press enter)

7) Launch a browser and login to the URL above as the factory default admin/password.

Solaris 10 1/13 Kerberos KDC HOWTO

07 Friday Jun 2013

Posted by in Security, Solaris

2 Comments

Tags

,

This is based on my demo lab. If you follow the steps and just insert your info you should be fine. I’ll post Kerberized NFS and other services soon.

1) Verify packages are installed. If not, install them.
-> pkginfo SUNWkrbr SUNWkrbu SUNWkdcu SUNWkdcr
system SUNWkdcr Kerberos V5 KDC (root)
system SUNWkdcu Kerberos V5 Master KDC (user)
system SUNWkrbr Kerberos version 5 support (Root)
system SUNWkrbu Kerberos version 5 support (Usr)

2) If not installed, insert DVD, mount ISO or use NFS mount:
-> pkgadd -d /path/to/package/SUNWkrbr
-> pkgadd -d /path/to/package/SUNWkrbu
-> pkgadd -d /path/to/package/SUNWkdcu
-> pkgadd -d /path/to/package/SUNWkdcr

3) Make sure all of the SSH packages are installed.
-> pkginfo SUNWsshcu SUNWsshdr SUNWsshdu SUNWsshr SUNWsshu
system SUNWsshcu SSH Common, (Usr)
system SUNWsshdr SSH Server, (Root)
system SUNWsshdu SSH Server, (Usr)
system SUNWsshr SSH Client and utilities, (Root)
system SUNWsshu SSH Client and utilities, (Usr)

4) Define these elements before you start.
a. Realm name = LAB.SLICE2.COM. This is the name of your Kerberos Realm. Think of it like your Active Directory domain.
b. Master KDC = labkdc01.slice2.com. This is your Kerberos Key Distribution Center. Think of it like your Windows Domain Controller.
c. admin principal and password = kws/admin. This is your administrative principle user account. Think of it like your Windows Domain Admin.
d. The KDC Master password = (your choice). This is the KDC master database password. Do no forget this password or you will be hosed.
e. Host OS: Solaris 10. This was done with Solaris 10 x86 Update 11.
f. Hosts: Solaris 10u11 KDC and Solaris 10u11 client.

5) Configure NTP. Time is critical to Kerberos. If NTP is already done, skip this step.
-> /var/ntp/ntp.drift
-> cp /etc/inet/ntp.client /etc/inet/ntp.conf
-> vi /etc/inet/ntp.conf
server 10.10.10.2
server 10.10.10.3
driftfile /var/ntp/ntp.drift
multicastclient 224.0.1.1
-> wq!
-> svcadm restart ntp (or svcadm enable ntp if never run before)

a. Verify ntp:
-> ntpq -p
remote refid st t when poll reach delay offset disp
=======================================================
labdc01.lab.sli .LOCL. 1 u 23 64 3 1.17 -25.978 7887.18
labdc02.lab.sli labdc01.lab.sli 2 u 22 64 3 0.99 -36.954 7895.22

6) Login as root on the Solaris host to become the KDC. Edit the Kerberos configuration file krb5.conf to fit your environment. Only change where the text is red below.

-> cp /etc/krb5/krb5.conf /etc/krb5/krb5.conf.orig
-> vi /etc/krb5/krb5.conf
[libdefaults]
default_realm = LAB.SLICE2.COM

[realms]
LAB.SLICE2.COM = {
kdc = labkdc01.lab.slice2.com
# kdc = ___slave_kdc1___
# kdc = ___slave_kdc2___
# kdc = ___slave_kdcN___
admin_server = labkdc01.lab.slice2.com
}

[domain_realm]
lab.slice2.com = LAB.SLICE2.COM

[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, …)

versions = 10
}

[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
# help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}

-> wq!

7) Edit the KDC file kdc.conf. Change the text in red with your environment and add the lines in blue to the end of the [realms] header.

-> cp /etc/krb5/kdc.conf /etc/krb5/kdc.conf.orig
-> vi /etc/krb5/kdc.conf

[kdcdefaults]
kdc_ports = 88,750

[realms]
LAB.SLICE2.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
sunw_dbprop_enable = true
sunw_dbprop_master_ulogsize = 1000
}

-> wq!

8) Create the KDC database.

-> /usr/sbin/kdb5_util create -s

Initializing database ‘/var/krb5/principal’ for realm ‘LAB.SLICE2.COM’,
master key name ‘K/M@LAB.SLICE2.COM’
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

9) Edit the Kerberos access control list.

-> cp /etc/krb5/kadm5.acl /etc/krb5/kadm5.acl.orig
-> vi /etc/krb5/kadm5.acl and add:

*/admin@LAB.SLICE2.COM *

-> wq!

10) Add principals.

-> /usr/sbin/kadmin.local
Authenticating as principal root/admin@LAB.SLICE2.COM with password.
kadmin.local:

a. Add administration principals to the database.
kadmin.local: addprinc kws/admin

WARNING: no policy specified for kws/admin@LAB.SLICE2.COM; defaulting to no policy
Enter password for principal “kws/admin@LAB.SLICE2.COM”:
Re-enter password for principal “kws/admin@LAB.SLICE2.COM”:
Principal “kws/admin@LAB.SLICE2.COM” created.

b. Create the kiprop principals.
admin.local: addprinc -randkey kiprop/labkdc01.lab.slice2.com

WARNING: no policy specified for kiprop/labkdc01.lab.slice2.com@LAB.SLICE2.COM; defaulting to no policy add_principal: Principal or policy already exists while creating “kiprop/labkdc01.lab.slice2.com@LAB.SLICE2.COM”.

c. Create a keytab file for the kadmind service.
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/labkdc01.lab.slice2.com

Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/labkdc01.lab.slice2.com

Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local:

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw

Entry for principal kadmin/changepw with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

d. Add the kiprop principal for the master KDC server to the kadmind keytab file.
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/labkdc01.lab.slice2.com

Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

e. Quit kadmin.local.
kadmin.local: quit

11) Start the Kerberos daemons.
-> svcadm enable -r network/security/krb5kdc
-> svcadm enable -r network/security/kadmin

12) Start kadmin and add more principals.
-> /usr/sbin/kadmin -p kws/admin
Authenticating as principal kws/admin with password.
Password for kws/admin@LAB.SLICE2.COM:

a. Create the master KDC host principal.
kadmin: addprinc -randkey host/labkdc01.lab.slice2.com

WARNING: no policy specified for host/labkdc01.lab.slice2.com@LAB.SLICE2.COM; defaulting to no policy
Principal “host/labkdc01.lab.slice2.com@LAB.SLICE2.COM” created.

b. Create the kclient principal.
kadmin: addprinc clntconfig/admin

WARNING: no policy specified for clntconfig/admin@LAB.SLICE2.COM; defaulting to no policy
Enter password for principal “clntconfig/admin@LAB.SLICE2.COM”:
Re-enter password for principal “clntconfig/admin@LAB.SLICE2.COM”:
Principal “clntconfig/admin@LAB.SLICE2.COM” created.

c. Add the master KDC’s host principal to the master KDC’s keytab file.
kadmin: ktadd host/labkdc01.lab.slice2.com

Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.

d. Quit kadmin.
kadmin: quit

13) Synchronize the master KDCs clock.
-> svcadm restart ntp

14) Copy the Master KDC’s krb5.conf file to an NFS share for clients. Create a folder and share it out for clients.
-> mkdir -p /export/install/kerberos_files/
-> vi /etc/dfstab/dfs and add something like this to fit your environment:
share -F nfs -o rw=krbclient01.lab.slice2.com -d “Kerberos Files for Clients” /export/install/kerberos_files
-> wq!
-> shareall
-> cp /etc/krb5/krb5.conf /export/install/kerberos_files/

15) Backup the KDC database

-> /usr/sbin/kdb5_util dump -verbose /export/install/kerberos_files/krb5.db.bkp

K/M@LAB.SLICE2.COM
changepw/labkdc01.lab.slice2.com@LAB.SLICE2.COM
clntconfig/admin@LAB.SLICE2.COM
host/krbclient01.lab.slice2.com@LAB.SLICE2.COM
host/labkdc01.lab.slice2.com@LAB.SLICE2.COM
kadmin/changepw@LAB.SLICE2.COM
kadmin/history@LAB.SLICE2.COM
kadmin/labkdc01.lab.slice2.com@LAB.SLICE2.COM
kiprop/labkdc01.lab.slice2.com@LAB.SLICE2.COM
krbtgt/LAB.SLICE2.COM@LAB.SLICE2.COM
kws/admin@LAB.SLICE2.COM
nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM

16) Create user principles.
-> kadmin kws/admin
-> addprinc johndoe

WARNING: no policy specified for johndoe@LAB.SLICE2.COM; defaulting to no policy
Enter password for principal “johndoe@LAB.SLICE2.COM”:
Re-enter password for principal “johndoe@LAB.SLICE2.COM”:
Principal “johndoe@LAB.SLICE2.COM” created.

Test user:

-> kinit johndoe
-> klist -c

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: johndoe@LAB.SLICE2.COM

Valid starting Expires Service principal
06/07/13 11:50:45 06/07/13 19:50:45 krbtgt/LAB.SLICE2.COM@LAB.SLICE2.COM
renew until 06/14/13 11:50:45

Configure a Solaris client to use Kerberos.

1) Login as root to the client. Interactively Configure Kerberos by answering the questions in red:
-> /usr/sbin/kclient

Starting client setup

—————————————————
Do you want to use DNS for kerberos lookups ? [y/n]: n
No action performed.
Enter the Kerberos realm: LAB.SLICE2.COM
Specify the KDC hostname for the above realm: labkdc01.lab.slice2.com
labkdc01.lab.slice2.com

Note, this system and the KDC’s time must be within 5 minutes of each other for Kerberos to function. Both systems should run some form of time synchronization system like Network Time Protocol (NTP).

Setting up /etc/krb5/krb5.conf.

Enter the krb5 administrative principal to be used: kws/admin
Obtaining TGT for kws/admin …
Password for kws/admin@LAB.SLICE2.COM:

Do you have multiple DNS domains spanning the Kerberos realm LAB.SLICE2.COM ? [y/n]: n
No action performed.

Do you plan on doing Kerberized nfs ? [y/n]: y

nfs/krbclient01.lab.slice2.com entry ADDED to KDC database.
nfs/krbclient01.lab.slice2.com entry ADDED to keytab.

host/krbclient01.lab.slice2.com entry ADDED to KDC database.
host/krbclient01.lab.slice2.com entry ADDED to keytab.

Do you want to copy over the master krb5.conf file ? [y/n]: y
Enter the pathname of the file to be copied: /net/10.10.10.101/export/install/kerberos_files/krb5.conf

Copied /net/10.10.10.101/export/install/kerberos_files/krb5.conf.

—————————————————
Setup COMPLETE.

2) Check the configuration.
-> klist -e -k -t

Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Timestamp Principal
—- —————– ———————————————————
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (Triple DES cbc mode with HMAC/sha1)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (ArcFour with HMAC/md5)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (DES cbc mode with RSA-MD5)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (Triple DES cbc mode with HMAC/sha1)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (ArcFour with HMAC/md5)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (DES cbc mode with RSA-MD5)
3) Configure ssh to user Kerberos.

3) Create a Kerberos principal to local Solaris user connection using the gsscred command. In this example, link my Kerberos principal johndoe@LAB.SLICE2.COM to my local Solaris user johndoe.

-> gsscred -m kerberos_v5 -a -c John Doe -n johndoe@LAB.SLICE2.COM -u johndoe

a. Check the Kerberos association database:

-> gsscred -l
0401000B06092A864886F712010202000000166A6F686E646F65404C41422E534C494345322E434F4D 100 johndoe, kerberos_v5

4) Ticket info. Sometimes you have to destroy the ticket to properly obtain a new one.
-> kdestroy

Get a fresh ticket:

-> kinit kws/admin
Password for kws/admin@LAB.SLICE2.COM:

Now list your new ticket:

-> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kws/admin@LAB.SLICE2.COM

Valid starting Expires Service principal
06/07/13 15:12:31 06/07/13 23:12:31 krbtgt/LAB.SLICE2.COM@LAB.SLICE2.COM
renew until 06/14/13 15:12:31

Now you can login to kadmin as the kws admin user.

-> kadmin kws/admin
Authenticating as principal kws/admin@LAB.SLICE2.COM with password.
Password for kws/admin@LAB.SLICE2.COM:

Configuring MPIO and iSCSI Mutual CHAP on Windows 2003, Windows 2008 and Windows 2012 with NetApp storage.

02 Sunday Jun 2013

Posted by in Security, Windows

Leave a comment

Tags

,

This is a followup to a previous post where I outlined how to deploy iSCSI LUNs using NetApp SnapDrive for Windows. This post does not use SnapDrive.

This document demonstrates how to enable MPIO, configure Mutual CHAP for iSCSI sessions, create iGroups and LUNs and then format the LUNs with NTFS.

The doc is here: Configuring MPIO and iSCSI Mutual CHAP on Windows v1

It covers Windows 2003, Windows 2008 and Windows 2012. Since Windows 2003 is quite lame, I had to use the NetApp DSM MPIO. Otherwise, its just plain old native Windows features and NetApp LUNs. All OS’s are grouped together by task so if you only need Windows 2003, just follow those steps through the document. Same for Windows 2008 or 2012.

Yes, Mutual CHAP does not provide robust crypto security but its better than nothing. It’s also a DoD STIG finding if not enabled. Its fairly easy to configure so why not use it.

SoftPerfect Netscan vs. AngryIP

23 Thursday May 2013

Posted by in Security, Windows

Leave a comment

Tags

,

I set out to do a quick comparison between SoftPerfect Network Scanner (Netscan) and AngryIP because AngryIP seems to get more love. I don’t know why. Just spend 5 minutes with SoftPerfect Network Scanner and you will abandon AngryIP in a heartbeat. SoftPerfect Network Scanner is clearly a better application. Its faster, highly configurable and more feature rich than AngryIP. SoftPerfect Network Scanner is a must have for all Sysadmin or Security professionals.

Both are standalone executable for Windows so no installation is required. The scan results below (with defaults enabled) proves the speed test. Netscan is much faster.

AngryIP
Version: v3.2
Speed: 5 minutes to scan a /24
Max Threads: 10 threads at a time

SoftPerfect Network Scanner (Netscan)
Version: 5.4.11
Speed: 1 minute and 5 seconds to scan a /24
Max Threads: 50 theads at a time

See the .pdf for the interface differences between SoftPerfect Network Scanner and AngryIP here: Netscan vs AngryIP

Take them both for a spin and see for yourself.

SoftPerfect Network Scanner URL:
http://www.softperfect.com/products/networkscanner/?from=auto

AngryIP URL:
http://angryip.org/w/Home

Free VMware Class – Security Principles in Virtualized Data Centers

09 Thursday May 2013

Posted by in Security, VMware

Leave a comment

Tags

,

Overview:
In this free eLearning course you will review security requirements and learn how to secure the virtualized datacenter environment as well as explain cloud security features and concepts.
Outline:

•  In the first module, Security in a Virtualized Data Center, we will describe security principles and identify unique security considerations in virtualized data center environments.
•  In the Platform Hardening module we will describe VMware vSphere® security and present some vSphere hardening examples.
•  In the Security Compliance and Governance module we will describe compliance, common standards, common compliance controls, VMware compliance example with PCI, and examine VMware compliance solutions.
•  In the Security Use Cases in Virtualized Data Centers module we will explain how to protect business-critical applications in virtualized environments and how to secure VMware View virtual desktop infrastructure deployments.
•  In the Private Cloud Security module we will define cloud computing, examine private cloud architecture, and examine security considerations in private clouds.
•  In the last module, the Ecosystem Enablement and APIs, we will describe the vCloud Ecosystem Framework, introduce the relevant APIs, along with the VMware Ready program that Technology Alliance Partners use to access the APIs. Finally, we will show some examples of partner integrations.

Register here:
http://mylearn.vmware.com/mgrReg/courses.cfm?ui=www_edu&a=det&id_course=172855

Updating Nessus to the newly released 5.20 on Kali Linux

23 Tuesday Apr 2013

Posted by in Linux, Nessus, Security

Leave a comment

Tags

,

Nessus just released version 5.20.  So, a quick follow-up to my recent post on installing Nessus is as follows.

Details:  http://www.tenable.com/products/nessus/new-in-nessus-52

Downloads:   http://www.tenable.com/products/nessus/nessus-download-agreement

> dpkg -i Nessus-5.2.0-debian6_amd64.deb
(Reading database … 241907 files and directories currently installed.)
Preparing to replace nessus 5.0.3 (using Nessus-5.2.0-debian6_amd64.deb) …
$Shutting down Nessus : .
Unpacking replacement nessus …
Setting up nessus (5.2.0) …
Fetching the newest plugins from nessus.org…
Fetching the newest updates from nessus.org…
Done. The Nessus server will start processing these plugins within a minute
nessusd (Nessus) 5.2.0 [build N24017] for Linux
Copyright (C) 1998 – 2013 Tenable Network Security, Inc

Processing the Nessus plugins…
[##################################################]

All plugins loaded

– You can start nessusd by typing /etc/init.d/nessusd start
– Then go to https://localhost:8834/ to configure your scanner

> /etc/init.d/nessusd start
$Starting Nessus : .