The official release of the vSphere 5.1 Hardening Guide offers guidance on securely deploying VMware vSphere 5.1.
The Official vSphere 5.1 Hardening Guide has been released
22 Monday Apr 2013
Category Archives: Security
Installing Nessus on Kali Linux
18 Thursday Apr 2013
1) First step is patch your Kali Linux system.
> su – root
> apt-get update
> apt-get upgrade
2) For some crazy reason Nessus is not part of the default Kali tool set. There must be some drama between these guys. The kali apt-get repositories don’t have nessus so you must download the deb package from Tenable.
Choose the debian 6 x64 package here:
http://www.tenable.com/products/nessus/select-your-operating-system
Register to get a key for the home feed here:
http://www.tenable.com/products/nessus/nessus-homefeed
3) Install nessus.
> su – root
> cd /to/path/of/nessus/download
> dpkg -i Nessus*.deb
> rm Nessus*.deb
4) Register nessus. Obtain the key from the email sent by Tenable when you registered. It will be used to register your home feed and authorize your instance to download plug-ins.
> cd /opt/nessus/bin/
> ./nessus-fetch –register “1234-ABCD-5678-EFGH-9101”
Note: there are two dashes “–” in front of –register
> cd /opt/nessus/etc/nessus
> cp nessusd.conf.imported nessusd.conf
5) Start nessus.
> /etc/init.d/nessusd start
6) Nessus takes about 10 minutes to initialize the first time. Launch a browser and enter https://localhost:8834 to see if its ready. When ready the wizard will start. Create a user, enter the word offline for the registration (since you already did this above) and then login.
Securing NetApp Data ONTAP with the NetApp Powershell Toolkit
10 Wednesday Apr 2013
The NetApp Data ONTAP Powershell Toolkit has come a long way. The latest release has many improvements including the new simplified installer. It couldn’t be easier to deploy and use.
See this .pdf to get started. Installing NetApp Data ONTAP Powershell Toolkit v2.3
The commands below represent the NetApp Powershell cmdlet version of the ONTAP commands referenced in a previous post titled http://slice2.com/2013/04/01/hardening-netapp-dataontap-8-1x/
Edit the text below to fit your environment and save as a .ps1 script. When done, simply execute it inside a powershell session or just run the command one at a time to get familiar.
1) Login to Controller.
If you want to use your controller name in the command , edit the Example line below. Otherwise, the Connect-NaController cmdlett will prompt you for a username and password and then the controller name you want to login to.
Example: Connect-NaController -Name <you filer hostname or ip> -Credential (Get-Credential) -https
Connect-NaController -Credential (Get-Credential) -https
2) Setup ssh with strong keys.
Set-NaOption -OptionName ssh1.enable off
Set-NaOption -OptionName ssh2.enable off
Initialize-NaSecureAdminSsh -Ssh1HostKeySize 2048 -Ssh1ServerKeySize 1920 -Ssh2HostKeySize 2048 -Force -Confirm
3) Set options.
Set-NaOption -OptionName ssh.idle.timeout -OptionValue 600 -Confirm
Set-NaOption -OptionName ssh1.enable -OptionValue off -Confirm
Set-NaOption -OptionName telnet.distinct.enable -OptionValue on -Confirm
Set-NaOption -OptionName rsh.access -OptionValue “none” -Confirm
Set-NaOption -OptionName rsh.enable -OptionValue off -Confirm
Set-NaOption -OptionName telnet.access -OptionValue “none” -Confirm
Set-NaOption -OptionName telnet.enable -OptionValue off -Confirm
Set-NaOption -OptionName webdav.enable -OptionValue off -Confirm
Set-NaOption -OptionName autologout.console.enable -OptionValue on -Confirm
Set-NaOption -OptionName autologout.console.timeout -OptionValue 60 -Confirm
Set-NaOption -OptionName autologout.telnet.enable -OptionValue on -Confirm
Set-NaOption -OptionName autologout.telnet.timeout -OptionValue 5 -Confirm
Set-NaOption -OptionName security.passwd.rules.enable -OptionValue on -Confirm
Set-NaOption -OptionName security.passwd.rules.everyone -OptionValue on -Confirm
Set-NaOption -OptionName security.passwd.rules.minimum -OptionValue 8 -Confirm
Set-NaOption -OptionName security.passwd.rules.maximum -OptionValue 16 -Confirm
Set-NaOption -OptionName security.passwd.rules.minimum.alphabetic -OptionValue 2 -Confirm
Set-NaOption -OptionName security.passwd.rules.minimum.digit -OptionValue 2 -Confirm
Set-NaOption -OptionName security.passwd.rules.minimum.symbol -OptionValue 2 -Confirm
Set-NaOption -OptionName security.passwd.rules.history -OptionValue 6 -Confirm
Set-NaOption -OptionName security.passwd.lockout.numtries -OptionValue 6 -Confirm
Set-NaOption -OptionName security.passwd.firstlogin.enable -OptionValue off -Confirm
Set-NaOption -OptionName sp.autologout.enable -OptionValue on -Confirm
Set-NaOption -OptionName sp.autologout.timeout -OptionValue 60 -Confirm
Set-NaOption -OptionName sp.ssh.access -OptionValue * -Confirm
Set-NaOption -OptionName ndmpd.enable -OptionValue off -Confirm
Set-NaOption -OptionName interface.blocked.cifs -OptionValue e0M -Confirm
Set-NaOption -OptionName interface.blocked.ftpd -OptionValue e0M -Confirm
Set-NaOption -OptionName interface.blocked.iscsi -OptionValue e0M -Confirm
Set-NaOption -OptionName interface.blocked.nfs -OptionValue e0M -Confirm
Set-NaOption -OptionName interface.blocked.snapmirror -OptionValue e0M -Confirm
Set-NaOption -OptionName ip.fastpath.enable -OptionValue off -Confirm
Set-NaOption -OptionName ip.icmp_ignore_redirect.enable -OptionValue on -Confirm
Set-NaOption -OptionName ip.match_any_ifaddr -OptionValue off -Confirm
Set-NaOption -OptionName ip.ping_throttle.alarm_interval -OptionValue 15 -Confirm
Set-NaOption -OptionName ip.ping_throttle.drop_level -OptionValue 100 -Confirm
Set-NaOption -OptionName tftpd.enable -OptionValue off -Confirm
Set-NaOption -OptionName ssl.enable -OptionValue on -Confirm
Set-NaOption -OptionName ssl.v2.enable -OptionValue off -Confirm
Set-NaOption -OptionName ssl.v3.enable -OptionValue on -Confirm
Set-NaOption -OptionName tls.enable -OptionValue on -Confirm
Set-NaOption -OptionName httpd.admin.enable -OptionValue off -Confirm
Set-NaOption -OptionName httpd.admin.ssl.enable -OptionValue on -Confirm
Set-NaOption -OptionName httpd.timeout -OptionValue 600 -Confirm
Set-NaOption -OptionName nfs.tcp.enable -OptionValue on -Confirm
4) Setup snmpv3 parameters.
You still have to setup OnCommand (DFM). This just takes care of the controller.
See http://slice2.com/2013/03/20/how-to-enable-snmpv3-in-ontap-7-3-38-x-and-dfmoncommand-core-4-05-x
Set-NaRole -Role snmpv3role -AddCapabilities login-snmp -Confirm
Set-NaGroup -Group snmpv3group -AddRoles snmpv3role -Confirm
Set-NaUser -User snmpv3user -AddGroups snmpv3group -Confirm
5) You need to add your OnCommand/DFM Server name below. Use fqdn or ip address. Also edit the read only (ro) community string to your setting if not public and the Location and Contact.
Set-NaOption -OptionName snmp.enable -OptionValue on -Confirm
Add-NaSnmpTrapHost -Host 10.10.10.26 -Confirm
Remove-NaSnmpCommunity -Community public
Set-NaSnmpLocation -Location “Roswell NM”
Set-NaSnmpContact -Contact “The Borg”
6) Setup syslog. Edit these parameters to point to your syslog server. Note that you must have a tab space between syslog IP address and the facility you want to syslog. The gap below is a tab not a spacebar.
Write-NaFile -Path /vol/vol0/etc/syslog.conf -AppendLine “*.* @10.10.10.100”
Hardening NetApp DataONTAP 8.1x
01 Monday Apr 2013
This configuration can be implemented on ONTAP 8.1.1 and 8.1.2. Some options are not available on 7.3x or 8.0x but that shouldnt prevent you from hardening as many options as possible. If its not available on your version, skip and move to the next option. I’ll cover securing the controllers, OnCommand Unified Manager and 7.3.x FilerView with Certificates in another post.
Secure shell should already be enabled on your controller. If the system has been around a while or the deployment engineer accepted defaults, chances are you have weak keys. Note that this process generates keys for sshv1 which is insecure and no longer used (it will be disable later in this HOWTO). Also, the host/server key size must differ by 128 bits explaining the size differential in the steps that follow. As the root user, run:
1) SSH has to be disabled before you configure it.
> secureadmin disable all
2) If it has been setup before, use the -f switch.
> secureadmin setup -f ssh
SSH Setup
———
Determining if SSH Setup has already been done before…yes
You have chosen to re-run SSH Setup. The old host keys will be
backed up to the following files:
/etc/sshd/ssh_host_key.201303310835
/etc/sshd/ssh_host_rsa_key.201303310835
/etc/sshd/ssh_host_dsa_key.201303310835
Do you want to proceed? [no] y
SSH server supports both ssh1.x and ssh2.0 protocols.
SSH server needs two RSA keys to support ssh1.x protocol. The host key is
generated and saved to file /etc/sshd/ssh_host_key during setup. The server
key is re-generated every hour when SSH server is running.
SSH server needs a RSA host key and a DSA host key to support ssh2.0 protocol.
The host keys are generated and saved to /etc/sshd/ssh_host_rsa_key and
/etc/sshd/ssh_host_dsa_key files respectively during setup.
SSH Setup will now ask you for the sizes of the host and server keys.
For ssh1.0 protocol, key sizes must be between 384 and 2048 bits.
For ssh2.0 protocol, key sizes must be between 768 and 2048 bits.
The size of the host and server keys must differ by at least 128 bits.
Please enter the size of host key for ssh1.x protocol [768] :2048
Please enter the size of server key for ssh1.x protocol [512] :1920
Please enter the size of host keys for ssh2.0 protocol [768] :2048
You have specified these parameters:
host key size = 2048 bits
server key size = 1920 bits
host key size for ssh2.0 protocol = 2048 bits
Is this correct? [yes] yes
Setup will now generate the host keys. It will take a minute.
After Setup is finished the SSH server will start automatically.
Sun Mar 31 08:35:48 EST [sim812:secureadmin.ssh.setup.passed:info]: SSH setup is done and ssh2 is enabled. Host keys are stored in /etc/sshd/ssh_host_key,
/etc/sshd/ssh_host_rsa_key, and /etc/sshd/ssh_host_dsa_key.
3) If using Putty or xterm, logout and login back in to accept the new, stronger keys.
4) Set the ssh.idle.timeout (set in seconds)
> options ssh.idle.timeout 600
4) Disable ssh1 and never use it unless you abolutely have no other choice.
> options ssh1.enable off
5) Enable the ability to separate SSH and ONTAP console sessions.
> options telnet.distinct.enable on
6) Disable RSH and never use it.
> options rsh.access “none”
> options rsh.enable off
7) Disable telnet and never use it.
> options telnet.access “none”
> options telnet.enable off
8) Disable webdav.
> options webdav.enable off
9) Configure Autologout.
> options autologout.console.enable on
> options autologout.console.timeout 60
> options autologout.telnet.enable on
> options autologout.telnet.timeout 5 (The SSH timeout is controlled by the telnet timeout setting)
10) Set the default user account settings. You may want to tune this to your environemnt. Note that Windows users cant use the max password size of 16.
> options security.passwd.rules.enable on
> options security.passwd.rules.everyone on
> options security.passwd.rules.minimum 8
> options security.passwd.rules.maximum 16
> options security.passwd.rules.minimum.alphabetic 2
> options security.passwd.rules.minimum.digit 2
> options security.passwd.rules.minimum.symbol 2
> options security.passwd.rules.history 6
> options security.passwd.lockout.numtries 6
> options security.passwd.firstlogin.enable off (This setting locks out root so don’t turn it on!)
Note: root and the service processors’s naroot user share the same password so root’s password cannot exceed 16 characters.
11) Configure options for the service processor.
> options sp.autologout.enable on
> options sp.autologout.timeout 60 (set in minutes. This can be shortened but uninterrupted SP access is critical during updrades or troubleshooting)
> options sp.ssh.access * (this should be set to a specific IP/CIDR range rather than * to be more secure. If you must access your controllers from many networks, leave it at *.
12) Disable NDMP until needed. Ndmp is very usefull in certain Sysadmin situations but doesnt need to be left on unless you dump to VTLs or tape libraries.
> options ndmpd.enable off
13) Disable specific protocols on the management interface. Its a good idea to block protocols on interfaces that will never carry that traffic type. These options allow you to properly isolate traffic which complements VLAN separation.
> options interface.blocked.cifs e0M
> options interface.blocked.ftpd e0M
> options interface.blocked.iscsi e0M
> options interface.blocked.nfs e0M
> options interface.blocked.snapmirror e0M
To open the interface enter interface.blocked.nfs “”
14) NetApp recommended IP options:
> options ip.fastpath.enable off
> options ip.icmp_ignore_redirect.enable on
> options ip.match_any_ifaddr off
> options ip.ping_throttle.alarm_interval 15
> options ip.ping_throttle.drop_level 100
15) Disable TFTP.
> options tftpd.enable off
16) Enable SSL on the controller.
> options ssl.enable on
> options ssl.v2.enable off
> options ssl.v3.enable on
> options tls.enable on
Enable SSL for System Manager:
> options httpd.admin.enable off
> options httpd.admin.ssl.enable on
> options httpd.timeout 600 (timeout time in seconds, 600 = 10 minutes)
16) Enable SNMPv3 for secure communication between OnCommand(DFM) and the controller. See my other post for the simple steps here:
How to Enable SNMPv3 in ONTAP 7.3.3/8.x and DFM (OnCommand Core) 4.0/5.x
17) Create a banner for SSH and SP console login. Using a text editor, create a login banner. Copy the text to your Windows/Unix buffer so you can paste it in the follow steps.
> options ssh2.banner.enable on
> wrfile /etc/motd and paste your banner text into the terminal. Press CTRL+C to save the file (ignore the warning).
> wrfile /etc/issue and paste the text above into the terminal. Press CTRL+C to save the file (ignore the warning).
18) Create Administrative users. Don’t login as root. Create user accounts in the administrators group so you have an audit trail. Also note that the parameters for mix/max password age (-m -M) fit common best practices.
> useradmin user add john.doe -g Administrators -m 1 -M 90
a) For OnCommand Unified Manager, consider an account such as:
> useradmin user add OnCommandAdmin -g Administrators -m 1 -M 365
b) For NetApp Virtual Storage Console (VSC), consider an account such as:
> useradmin user add VSCadmin -g Administrators -m 1 -M 365
c) When setting user password expiry, you occasionally get locked out. To determine a users status, check the “Status” sections of the following command:
> useradmin user list john.doe
If Status is expired, the only way to enable the user account is to change the password. Login as root or an admin user and enter:
> passwd
Login: john.doe
New password:
Retype new password:
19) Configure NFS Parameters. Since most of us have VMware ESXi clusters in our environment, we must use NFSv3. ESXi does not support NFSv4 so the enhanced security is not available. Enable NFS over TCP rather than UDP for ESXi hosts.
> options nfs.tcp.enable on
20) Identify your admin host on the controller. This is a hidden option that is not seen with the options command unless it is defined. If you enter > options admin.hosts no output is returned if it is not configured. This should be set to a dedicated host, possibly your OnCommand Unified Manager server that should also have System Manager, Performance Adviser, ConfigAdviser, VASA plugin, ONTAP Powershell Toolkit and other NetApp management tools.
> options admin.hosts <your server name>
21) Configure Syslog to send to a remote syslog server like Splunk, Kiwi, WhatsUp, etc.
> rdfile /etc/syslog.conf.sample
Copy the text below, paste into notepad.exe and add your syslog server hostname or IP address. Note: use tab key, not space bar to separate the blank space between *.info/*.err;kern.*.local7* and <your syslog IP/hostname>
# Log messages of priority info or higher to the console and to /etc/messages
*.info /dev/console
*.info /etc/messages
*.* @<your syslog server>
# Edit and uncomment following line to log all messages of priority
# err or higher and all kernel messages to a remote host, e.g. adminhost
# *.err;kern.* @adminhost
*.* @<your syslog server>
# Edit and uncomment following line to log all messages of priority
# err or higher and all kernel messages to the local7 facility of the
# syslogd on a remote host, e.g. adminhost.
# *.err;kern.* local7.*@adminhost
local7.* @<your syslog server>
a) After you have made the changes to the file above, perform the following:
> wrfile /etc/syslog.conf
b) Paste the text from notepad into the blank console, press enter to add a line at the bottom of the input and press CTRL+C to end the session. Ignore the error that appears.
c) The Syslog service should restart in 15 seconds. If it does not, send a test message:
> logger Hello World
d) If you dont see “kern.syslogd.restarted:info]: syslogd: Restarted” on the console within 20-30 seconds of saving the file, manually restart syslog service.
> priv set advanced
*> syslog reset_syslog
*> priv set admin
A Quick Snort on NetBSD 6.0.1 HOWTO
26 Tuesday Mar 2013
Yes, I know this is a default config but if you are new to Snort it gets you up and running quickly so you can actually tinker with a running system. If you haven’t installed pkgin, see my post How to install XFCE on NetBSD 6 and run the steps to install pkgin.
1) Get the software.
> pkgin avail | grep snort
oinkmaster-2.0nb1 Manage snort rule updates
snort-2.8.5.1nb2 The Open Source Network Intrusion Detection System
snort-rules-2.4 Network Intrusion Detection System (Community Rules)
snortsnarf-20050314.1nb1 Generate HTML report summaries from snort incident alerts
> pkgin install oinkmaster-2.0nb1
> pkgin install snort-2.8.5.1nb2
> pkgin install snort-rules-2.4
> pkgin install snortsnarf-20050314.1nb1
> pkgin install libpcap
> pkgin install tcpdump
> pkgin install pcre-*
2) Create var RULE_PATH files in /usr/pkg/share/snort/rules.
> touch /usr/pkg/share/snort/rules/local.rules
> touch /usr/pkg/share/snort/rules/bad-traffic.rules
> touch /usr/pkg/share/snort/rules/exploit.rules
> touch /usr/pkg/share/snort/rules/scan.rules
> touch /usr/pkg/share/snort/rules/finger.rules
> touch /usr/pkg/share/snort/rules/ftp.rules
> touch /usr/pkg/share/snort/rules/telnet.rules
> touch /usr/pkg/share/snort/rules/rpc.rules
> touch /usr/pkg/share/snort/rules/rservices.rules
> touch /usr/pkg/share/snort/rules/dos.rules
> touch /usr/pkg/share/snort/rules/ddos.rules
> touch /usr/pkg/share/snort/rules/dns.rules
> touch /usr/pkg/share/snort/rules/tftp.rules
> touch /usr/pkg/share/snort/rules/web-cgi.rules
> touch /usr/pkg/share/snort/rules/web-coldfusion.rules
> touch /usr/pkg/share/snort/rules/web-iis.rules
> touch /usr/pkg/share/snort/rules/web-frontpage.rules
> touch /usr/pkg/share/snort/rules/web-misc.rules
> touch /usr/pkg/share/snort/rules/web-client.rules
> touch /usr/pkg/share/snort/rules/web-php.rules
> touch /usr/pkg/share/snort/rules/sql.rules
> touch /usr/pkg/share/snort/rules/x11.rules
> touch /usr/pkg/share/snort/rules/icmp.rules
> touch /usr/pkg/share/snort/rules/netbios.rules
> touch /usr/pkg/share/snort/rules/misc.rules
> touch /usr/pkg/share/snort/rules/attack-responses.rules
> touch /usr/pkg/share/snort/rules/oracle.rules
> touch /usr/pkg/share/snort/rules/mysql.rules
> touch /usr/pkg/share/snort/rules/snmp.rules
> touch /usr/pkg/share/snort/rules/smtp.rules
> touch /usr/pkg/share/snort/rules/imap.rules
> touch /usr/pkg/share/snort/rules/pop2.rules
> touch /usr/pkg/share/snort/rules/pop3.rules
> touch /usr/pkg/share/snort/rules/nntp.rules
> touch /usr/pkg/share/snort/rules/other-ids.rules
3) Test config.
> /usr/pkg/bin/snort -T -i wm0 -u snort -g snort -c /usr/pkg/etc/snort/snort.conf
4) Start Snort.
> /usr/pkg/bin/snort -D -i wm0 -A fast -b -d -u snort -g snort -c /usr/pkg/etc/snort/snort.conf -l /var/log/snort
5) Monitor hits.
> tail -f /var/log/snort/alert
6) After an hour or so, run snortsnarf.pl to get an html report.
> mkdir -p /var/log/snort/report
> /usr/pkg/bin/snortsnarf.pl -d /var/log/snort/report /var/log/snort/alert
> cd /var/log/snort/report
> firefox index.html
Note: if you don’t have an X11 desktop, just scp the report folder over to a host that does and run firefox index.html from that host.
Integrating HP iLO with Microsoft AD and Certificate Services
25 Monday Mar 2013
Although HP has come a long way with iLO, it is still quite picky when it comes to AD integration and certificate management. This document is an attempt to make it easier to accomplish. Updating your firmware is the most important step. Don’t skip it.
I created a document detailing the steps. Download the pdf here: Integrating HP ILO with AD and CS
Using Virtual Ethernet Adapters in Promiscuous Mode on Linux
20 Wednesday Mar 2013
VMware does not allow the virtual Ethernet adapter to go into promiscuous mode unless the user has permission to make that setting change. This follows the standard Linux practice that only root can put a network interface into promiscuous mode. See this VMware KB for details.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=287
How to Enable SNMPv3 in ONTAP 7.3.3/8.x and DFM (OnCommand Core) 4.0/5.x
20 Wednesday Mar 2013
1) On the filer:
> options snmp.enable on
> useradmin role add snmpv3role -a login-snmp
> useradmin group add snmpv3group -r snmpv3role
> useradmin user add snmpv3user -g snmpv3group
> Enter password:
> snmp traps enable
> snmp init 1
> snmp authtrap 1
> snmp traphost add <your DFM server hostname>
> snmp location <your filer location> (if spaces, put in quotes; snmp location “Area 51, Roswell New Mexico”)
2) In the DFM browser based GUI:
a) Control Center tab | Setup | Options | SNMP Trap Listener. Click Yes to enable and click Update.
b) Control Center tab | Setup | Network Credentials.
i. If you have SNMPv1 networks defined, find the network of the filer you want to change to SNMPv3 in the list at the bottom of the page and click Edit on the right.
ii. Under Edit Network Credentials, select SNMPv3.
iii. Under SNMPv1 Settings, clear whatever is shown in this field.
iv. Under SNMPv3 Settings, enter the user and password you created above (snmpv3user) and click Update. DO NOT enter anything in the Privacy password field. It is designated for future use. If you do, you will see “snmpd:error Encryption not enabled” on the filer. Harmless but annoying.
3) At the command line on the DFM server:
a) Click Start | Run | type cmd and press enter.
C:\> cd c:\Program Files\Network Appliance\DataFabric\DFM\bin
> dfm host list (to get the filer’s ID and IP address)
> dfm host set <ip of filer> prefsnmpVersion=3
> dfm host get -q <ID of the filer you just changed to v3> (to verify the snmp version)
> dfm host diag <your filer hostname>
SNMP Version in use SNMPv3
SNMPv1 Failed (this is good)
SNMP Community <blank> (this is good, if not blank, see notes below)
SNMPv3 Passed (297ms)
SNMPv3 Auth Protocol MD5
SNMPv3 Privacy Enabled No (this OK, reserved for future use of the Privacy password)
SNMPv3 Username root (OK, diagnostics use root for this test, not the snmpv3user account)
SNMP sysName <I removed the value but it works>
SNMP sysObjectID <I removed the value but it works>
SNMP productID <I removed the value but it works>
- Diags use the root or root equivalent user which is why this states root above.
- If you don’t clear the read only community string in the DFM GUI it will still use SNMPv1 if the ro community string is defined on the filer. To remove it on the filer, issue a > snmp community delete ro <your ro string>
- System Manager does not support SNMPv3. Hello NetApp?!?! To use System Manager with SNMPv3 enabled and SNMPV1 disabled, click Add, click the down-arrow and select Credentials. Enter a username in the admin group (try not to use root for security reasons) and click Add.