In the process of building out my network intelligence system I need to have a central location to collect system and event logs on my network.  Since my ReadyNAS has Linux under the hood I figured what better place (since it has plenty of space to store LOTS of logs).  Here is what I did.

First, you need to have a a ReadyNAS with OS6 on it.  In my case I have one of the older ReadyNAS Pro 6 boxes which only officially support the older 4.x OS.  But, there is a very easy way to upgrade to OS6 and it has been very reliable for me.  Down side is that it will require wiping out all data on your NAS and reformatting (Backup, Backup, BACKUP!).  I believe it’s well worth the hassle of backing up and restoring data to get this upgrade.  It will void your warranty (or make it much more difficult to get through tech support), but it appears that Netgear has been reasonably responsive in adding fixes for the unsupported legacy hardware.  Once my NAS was converted updates have been easy and automatic.  Anyways, here is the info I followed to convert:  ReadyNAS Forums

Now to setup syslog (rsyslog) to receive incoming logs on your network do the following:

  1. Log into your NAS and enable SSH
    1. Go to System -> Settings -> Service -> SSH
  2. Create a new folder to store/share your logs
    1. Go to Shares -> Choose a Volume (or create one)
    2. Create a new Folder (call it logs?) and set permissions as you like
  3. Create a new group
    1. Go to Accounts -> Groups -> New Group
    2. Create a new Group (call it logs?) and set permissions as you like
  4. Go back to your new “logs” share folder and set permissions such that the “logs” group has read/write perms
    (These are very liberal permissions and basic groups/users, you can go much more restrictive, which I would recommend once you’ve got the basics working)
  5. Now ssh to your ReadyNAS as root using the same password as your web based admin account
  6. Install rsyslog
    1. apt-get install rsyslog
  7. Configure rsyslog
    1. vim.tiny /etc/rsyslog.conf
      If you don’t know vim go read-up first, you need to know how to insert, delete, and save
    2. Change the following lines:

      Remove the # signs in front of these lines at the top:
      $ModLoad imudp
      $UDPServerRun 514
      $ModLoad imtcp
      $InputTCPServerRun 514

      Add the # sign to these lines:
      #*.*;auth,authpriv.none -/var/log/syslog
      #cron.* /var/log/cron.log
      #daemon.* -/var/log/daemon.log
      #kern.* -/var/log/kern.log
      #lpr.* -/var/log/lpr.log
      #mail.* -/var/log/mail.log
      #user.* -/var/log/user.log
      #mail.info -/var/log/mail.info
      #mail.warn -/var/log/mail.warn
      #mail.err /var/log/mail.err
      #news.crit /var/log/news/news.crit
      #news.err /var/log/news/news.err
      #news.notice -/var/log/news/news.notice
      #*.=debug;\
      #            auth,authpriv.none;\
      #            news.none;mail.none -/var/log/debug
      #*.=info;*.=notice;*.=warn;\
      #             auth,authpriv.none;\
      #             cron,daemon.none;\
      #             mail,news.none -/var/log/messages

      And add these lines to the bottom:
      $template RemoteLog,”/data/logs/%$YEAR%/%$MONTH%/%fromhost-ip%/syslog.log”
      *.* ?RemoteLog

    3. Be sure to change the /data/logs part to match with your volume and folder you created in steps 2 above
  8. Now enable and restart rsyslog
    1. systemctl restart rsyslog.service
    2. systemctl enable rsyslog.service
  9. Check to make sure rsyslog started happily
    1. systemctl status rsyslog.service
    2. tailf /data/logs/2015/03/127.0.0.1/syslog.log
      You should see something like this “rsyslogd: [origin software=”rsyslogd” swVersion=”5.8.11″ x-pid=”24127″ x-info=”http://www.rsyslog.com”] start”
  10. Log out of SSH and disable it if you don’t need it anymore.

That should cover the basics.  By default the ReadyNAS will log as from an IP of 127.0.0.1, all other hosts will log from their IPs on your network.  There is of course a lot more custom configuration you can do.  This is just the basics.  You will also be able to view your logs from the shared volume you created.

I commented out a lot of lines above to avoid duplicate logging in the /var/log directory as that’s only about 4GB in size.  You can always re-enable them and change there path if you choose.

 

I’ve been very busy updating my home network infrastructure lately.  I wanted to improve the zone separation, while at the same time providing a reasonably secure connection between my resources at home and my resources on the net.

Some of these changes include:

  • Replacing my SSG-140-SH Firewall with a new SRX220H2 w/POE Firewall.
  • Replacing my DELL 5448 Switch with a new Netgear GS724T Switch.
  • Removing an old 4 port POE switch.
  • Replacing my old VLAN setup (Main, Media, Utils) with my new VLAN setup (Main, Wireless, Media, Utils, LAB, VPN, Tunnel).
  • Upgrading my old Dell 860 (250GB Raid1 and 8GB RAM) co-located server with a new SuperMicro based server that has 12TB of storage and 32GB of ram.  This is split into virtualization images, so I’ll be able to work with Docker/CoreOS/KVM based technologies in my personal cloud.  This is tied into my home network via an OpenSwan -> SRX IPSec tunnel.  Additionally, the SRX will be able to provide dynamic SSL VPN capability for when I’m on the road.

All of the above gets added to my existing 12TB NAS, multiple POE wireless access points, and virtualization server.

I have a few more tweaks left to handle multicasting and cross-LAN traffic on the network, finishing up my log aggregation and analysis tools, as well CoreOS and Docker work for PaaS deployments.  This should provide some nice resources for my security research.

So I finally took the time and got www.cafaro.net up and running on IPv6. I’ve had the addresses for a while and getting Linux up and talking IPv6 is pretty straight forward. All you need is to add some lines like these to your ifcfg-ethX file:

IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6ADDR=XXXX:XXXX:XXXX::XXXX:XXXX/64
IPV6_DEFAULTGW=XXXX:XXXX:XXXX::XXXX:1

And of course, can’t forget to setup ip6tables to match what iptables is blocking!

Getting Apache up on it was a little more fun. I’ve got some virtual hosts spread about so I basically had to find every reference to my sites IP address and duplicate all relevant configs, swapping the IPv4 addresses (like 192.1.1.1) with a bracketed IPv6 addresss (like [1922:1::1]). Examples would be:

Listen [1922:1::1:2]:80
or
NameVirtualHost [1922:1::1:2]:80
or
VirtualHost [1922:1::1:2]:80

What was the real bear was WordPress and plugins. See once I had this all setup and running for Apache, Apache wanted to talk to the world via IPv6 (IPv4 is still there, just less favored)! Of course, WordPress and akismets servers don’t do IPv6 and things broke. To fix a lot of this I had to enter in /etc/hosts entries specifically for wordpress and akismets servers. Here are some examples of my entries:

UPDATE The below are no longer needed and will break things, wordpress.org can be added for feed news

72.233.56.138 api.wordpress.org
66.150.40.250 wordpress.org
66.135.58.62 rest.akismet.com YOURKEY.rest.akismet.com
72.233.56.139 downloads.wordpress.org

With those in the hosts file, my system now defaults to IPv4 when those plugins try to do their behind the scenes checks. I also had to update the Dashboard news feed to the updated URL which apparently changes since it was added to my WordPress install (they use a redirect on their server which again fails with IPv6).

After all that it’s now up and running. Next will be tackling postfix and email over IPv6, but that’s for another month…

For years now I’ve used telnet as a quick and easy way to check to see if the most basic network functionality of a service like http is working. I.e. I telnet to port 80 and see the raw server communication. Very helpful in debugging network services. Where it fails is when you get into SSL services. Telnet to port 443 and sure you’ll see you connect, but your not going to be doing an SSL handshake.

So I finally did a little googling and ran across this gem:

openssl s_client -connect www.example.com:443

And now I have SSL handshake and my raw plaintext interface that telnet provided.

Works great for all my ssl service troubleshooting (imap/pop/https/etc..).

Found the info at this site:

http://advosys.ca/viewpoints/2006/08/testing-ssl-with-command-line-tools/

Ok this has been bothering me for a while, I upgrade my desktop to CentOS 6 to have a nice stable platform going forward from my previous Fedora 14 install and all was good.  Except Enigmail gpg passphrase caching broke.  Every time I hit an encrypted email I had to enter in the passphrase at least twice it seemed, and pity me if i clicked on a threaded email conversation.

So after digging around I found the following fix:

Edit .bash_profile and add:

gpg-agent --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info"

if [ -f "${HOME}/.gpg-agent-info" ]; then
. "${HOME}/.gpg-agent-info"
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
fi

Edit .bashrc and add:

GPG_TTY=$(tty)
export GPG_TTY

And now all is happy.  Some of this was found on this page:

http://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html#Invoking-GPG_002dAGENT

Some of it was trial and error, plus a health amount of googling.

So it’s been over two years since my last post.  Been very busy in my life and haven’t had time to do as much tinkering and computer stuff at home as I usually would.  That’s not to say I haven’t done anything, just haven’t documented it.  Here are a few things that happened in the last two years:

  1. I changed jobs, I now work in computer, network, and systems security full time.  I’m loving it!  Finally getting to really practice what I preach in the security field.  Georgetown was fun and a great time to grow my general systems experience, but I’m enjoying the focus on computer and network security.

  2. Got a new car, this actually happened about three years ago, but I never posted about it.  The Chevy Blazer was taken out by it’s imploding supercharger and deemed not worth my time, effort, and money to repair.  Given it was early 2009 and car dealers were giving away cars I got a great deal on a new 2009 VW Tiguan SE with AWD.  Still love the car and making small upgrades to it as the years go on to make it more mine.  I did actually stand up a page for that work here: My SUV Project (Tiguan).

  3. I made some network and computer upgrades at home as well.  I replace my original first generation MacBook Pro 15″ (Intel Core Duo 2Ghz) with a late 2010 model MacBook Pro 15″ (Intel i7 Dual Core) with HD display and 8GB of ram.  It’s currently triple booting MacOS X 10.6, Fedora 16, and Windows Ent 7.  I have a post on how to setup triple boot in the works.  I also upgrade my old Promise NS4300N 2TB NAS box with a new NetGear ReadyNAS Pro 6 12TB.  Much faster and a lot more storage plus so many options.  Finally I’ve kept the network up with technology and run full WiFI a/b/g 300mbps+ and GigE wired via NetGear WNDR4000 and assorted GigE switches paired with FiOS internet.  Finally I upgraded my workstation piece by piece to get it up to a Sandybridge i7 and 16GB ram so that I can build out a new HD+CableCard MythTV network using VMs, the NAS box, and the new Silicon Dust HD Prime. I’ll have a post later documenting my network general gear later as well as posts on how I setup MythTV.

  4. I’ve got a Barnes and Noble Nook Color as well.  It’s a great little device and hoping to take better advantage of it this coming year.  And yes, it’s rooted.  Running stock Nook Software but with the added benefit of sideloaded and standard android market apps too.

  5. And last but not least, still being a dad and husband working away enjoying watching the kids learn and grow (as I learn and grow).

 

I decided it was a little much having two “netbooks” around, so I sold my trusty Sharp MM20 (a netbook that came out before anyone heard of netbooks) to another MM20 owner with all the accessories.

So I’ve dedicated myself to the Acre Aspire One and it’s doing a great job.  One complaint was the horribly slow 16GB SSD drive that it came with.  It’s pitifully slow and loading a full blown Linux distro on it started showing its shortcomings.  Well this was solved by replacing the drive with a better performing RunCore based SSD drive.  Now the machine is quick and responsive.

I’ve loaded up Fedora 12 on the machine with “Desktop Effects” enabled, SELinux enforcing, and an encrypted hard drive via dm-crypt.  In truth, I notice no performance loss, it’s quick responsive and no stuttering.  Works great for Web Browsing, SSH sessions, and email.  That’s all I really need from a Netbook.  Oh and 5 hour battery life is no problem for this little 2.5lb machine.

Well, I finally dumped the stock Xandros on the EeePC 1000 in favor of Fedora 9.  Must say I’m much happier, and it wasn’t too bad of an install.  I’ll write up details later, but the basics were download Fedora, install, reboot, download latest kernel, install (no net without it on the EeePC), reboot.  Yum update then reboot.  To get wireless working, had to download the driver from the card manufacturer, compile, install, and good to go.

Now there were some tricks and hoops involved (fixing the wireless card source, moving the updated kernel over with a USBkey, messing with a couple config files), but it wasn’t too bad.  Almost everything works, only thing not working yet is external displays, and that’s only because I haven’t gotten around to it.

Much happier now with a real firewall via IPTables, SELinux, and working English spell check!  Oh, and I went ahead and encrypted the file systems as well, why not.

Til I write my how-to, here are some useful links:

This thread contains most of the info you need:

http://fedoraforum.org/forum/showthread.php?t=195429

The wireless driver:

http://www.ralinktech.com/ralink/Home/Support/Linux.html

The Fedora EeePC wiki:

http://fedoraproject.org/wiki/EeePc

So been playing around more with my EeePC 1000.  Still really like it, but I’ve got two major complaints now besides the security issues I’ve mentioned before.

  1. There is NO English spellchecking installed for StarOffice.  The install of StarOffice includes spellchecking for Polish but apparently not English.  I’ve checked all over and that’s it, no English spell checking and no easy way to add it yet.  This is a major problem for me, I’m a terrible speller.
  2. The right shift key is too far to the right.  I’m a touch typist and key placement is important.  I’m used to having the right shift key and instead I hit the up arrow while typing.  I’ll probably solve this by remapping the shift key and the arrow key, but it’s a bad design.  Luckily it’s something I can work around, just annoying.

I really do need to find a solution to the spell check, or bite the bullet and do the Fedora install.

Ok, so I’ve had my new Eee PC 1000 for several days and am loving it.  But, I did find a few really glaring security issues.  So with a lot of research I’ve come up with a basic list of must do’s for any new Eee PC owner.

  1. Shutdown Samba and Portmap – These services are on by default and there are known security issues with the version of Samba that comes with the EeePC.  Here is how to make sure they are stopped and don’t come back on.  Be warned, if you do this you will not be able to share files with others from your computer, though you can access files on other computers:
    • First start up a terminal window by pressing Ctrl + Alt + T
    • Next issue the following commands:
    • sudo invoke-rc.d samba stop
    • sudo update-rc.d -f samba remove
    • sudo update-rc.d samba stop 20 0 1 2 3 4 5 6 .
    • sudo invoke-rc.d portmap stop
    • sudo update-rc.d -f portmap remove
    • sudo update-rc.d portmap stop 20 0 1 2 3 4 5 6.
    • Next edit the services file using the following commands:
    • sudo vim /usr/sbin/services.sh
    • Press the “i” key to begin edit mode
    • find the line:
      start-stop-daemon –start –quiet –oknodo –exec /sbin/portmap
      and comment it out like:
      #start-stop-daemon –start –quiet –oknodo –exec /sbin/portmap
    • find the line:
      /usr/sbin/invoke-rc.d samba start
      and comment it out like:
      #/usr/sbin/invoke-rc.d samba start
    • Press the “ESC” key, then press the “:” key, then type “wq” followed by pressing the enter key
  2. There is a webserver that runs on the EeePC any time you launch the anti-virus icon under settings.  It by default hides the content from the internet, but the webserver is still listening on the internet port.  To force the webserver to ONLY listen to your local machine (and not advertise to the rest of the world) do the following.
    • You need to edit the following file using the commands:
    • sudo vim /usr/lib/esets/webi/nginx/conf/nginx.conf
    • find the http {} section,  then the server {} section and
    • Press the “i” key to begin edit mode
    • change “listen 20032;” to “listen localhost:20032;”
    • Press the “ESC” key, then press the “:” key, then type “wq” followed by pressing the enter key
    • Reboot the computer as there is no clean way to stop the service.

Ok, so now the why part.

The EeePC (including my brand new one) ships with a old version of samba enabled to start on boot by default that has a known remote attack that can grant root priveleges.  That is VERY bad:

http://risesecurity.org/blog/entry/6/

Also the webserver that runs when you start up the anti-virus program on the EeePC is the legacy stable branch (one entire version behind current stable) and several revisions of that behind the current legacy stable revision:

http://nginx.net/CHANGES-0.5

The EeePc runs version 0.5.33 from November of 2007.  You’ll notice in the change log several fixed segfaults and other bugs, some of which could lead to security issues.  It’s best not to take chances and make sure it doesn’t report to non-localhost requests.

Next Page »

Copyright © 2015 · All Rights Reserved · Cafaro's Ramblings