Wednesday, April 30, 2014

Zero Trust Security Model Recommendation from Cymbel - "Verify, but don't Trust"

The link to Cymbel page:- http://www.cymbel.com/zero-trust-recommendations/


Cymbel has developed a set of practical Zero Trust recommendations that can be implemented today.

1. Update Network Security with Next Generation Firewalls - A true Next Generation Firewall will enable you to re-establish a Positive Control Model that includes remote and mobile users, and provides threat protection across the Kill Chain for known and unknown attacks. Only a Next Generation Firewall that can detect all applications across all 65,535 TCP and UDP ports, all of the time, will enable the re-establishment of a Positive Control Model.
A high-function next gen firewall will also reduce overall network security costs by (1) eliminating the need for stand-alone Proxies, IPS/IDSs, and VPNs, and (2) unifying policy management. The money saved here can be applied to Detection and Response controls.
While the logical perimeter is an obvious deployment scenario, re-establishing internal network segmentation is also important. Much as a submarine is compartmentalized so that if one compartment floods, it does not sink the ship, segmenting your internal network up and down the stack will control user access to assets and limit the access of compromised systems. While VLANs have value with respect to performance, their security capabilities cannot stand up to the current threat landscape and compliance requirements. VLANs are comparable to the double yellow lines on a road – they provide guidelines but no real protection. Learn more.

2. Use a “sandbox” control to detect unknown threats in files – The speed at which threats morph is so high, seconds/minutes, that signature-based threat detection controls like anti-virus cannot keep up. Nor can signatures detect targeted threats created to exploit unknown and zero-day vulnerabilities. Therefore all unknown files entering the organization from the Internet, regardless of port, protocol, or application, must be analyzed by allowing them to “detonate” in a safe environment, a “sandbox.” This can be done on-premise on an appliance or via a cloud-based service, ideally tightly integrated with the Next Generation Firewall. Learn more.

3. Establish Protected Enclaves to control user access to applications and resources - The method that the Target attackers used to exfiltrate cardholder data shows the importance of establishing Protected Enclaves, i.e. internal network segmentation. If good next generation firewalls were used with granular policies that included zones, ports, and applications, then the illicit traffic between the POS terminals and the compromised internal server would have been blocked  We recommend technically strong next generation firewalls that enable to you implement a Positive Control Model from the network layer up through the application layer. Learn more.

4. Use a specialized anti-phishing email protection service - Phishing and spear-phishing continue to be a top attack vector for adversaries to trick users to click on links leading to malicious web pages. Traditional anti-spam services no longer provide enough email protection. They are no match for sophisticated phishing and spear-phishing attacks. An effective cloud-based service dedicated to blocking targeted email attacks is needed. Also the outbound links in the email must be analyzed before allowing the user to download a possibly malicious web page. Learn more.

5. Use Threat Intelligence to prioritize vulnerability remediation - Vulnerability scanners generate large numbers of vulnerabilities which tend to overwhelm the limited resources dedicated to remediation. A variety of risk scoring methods to prioritize remediation with limited success. Asset tagging/ranking is valuable but insufficient. We recommend applying Threat Intelligence in conjunction with asset tagging/ranking to improve the risk scoring process and better prioritize remediation. Learn more.

6. Analyze logs using advanced machine learning algorithms to detect compromised and malicious users – A typical early step in an attack progression after compromising an endpoint is to escalate privilege by capturing the user’s credentials. From that point forward, no malware is needed as the attacker is using legitimate credentials to access information. In order to detect this activity, we recommend a behavior analysis control. During the last ten years there have been tremendous advances in machine learning algorithms to detect anomalous user behavior and attributes while minimizing false positives. Learn more.

7. Implement an Incident Management system to minimize incident costs - Incidents are inevitable, period. All threats cannot be detected rapidly enough to eliminate incidents. Furthermore, effective incident response is difficult due to (1) limited staff, (2) the variety and complexity of state and federal laws, and (3) the range of external and internal constituencies affected by a security incident. Mistakes and omissions will surely increase incident direct and indirect costs. Therefore, enterprises must invest in a an automated system to better prepare for, assess, manage, and report on incidents. Learn more.

8. Deploy a Cloud Services Manager to discover, analyze, and control Shadow IT - Employee teams are increasingly using cloud services on their own to improve their effectiveness and efficiency. Cloud services are easy to use, have a fast time to value, and use a pay-per-use (OpEx) pricing model. In most cases, these employee teams do not feel the need to ask for IT’s permission to deploy them. The result is that management has no visibility or control over these “Shadow” IT services. This introduces security, compliance, and legal risks.
A Cloud Services Manager ingests logs from existing firewalls, proxies, web security gateways, and SIEMs to (1) identify all cloud services being used by employee teams, (2) analyze the risks associated with them, and (3) re-establish centralized control where appropriate using a a reverse proxy. Learn more.

9. Monitor your partners’ security postures using a cloud-based service - As organizations improve their information security controls, attackers are increasingly shifting their focus to organizations’ partners such as law firms, advertising agencies, accounting firms, email houses, suppliers, and customers.
Traditional approaches to partner monitoring like self-assessment questionnaires and annual audits are inadequate. The former are subjective and difficult to verify and the latter are expensive and only provide accurate information at the time of the audit.
A better approach would be to use a cloud-based service that can passively, empirically, and continuously monitor, analyze, and rate the cyber security risk posture of your partners.
You could also use a service like this to monitor your own company and compare yourself to your competitors.

10. Deploy an Enterprise Key & Certificate Management (EKCM) system - Some of the less visible bi-products of the trend toward broadly enabling encryption include more encryption certificates and keys, and more variations in the way applications, platforms and systems are configured to encrypt. An Enterprise Key and Certificate Management (EKCM) system allows organizations to more effectively implement and maintain encryption throughout their varied, and often disparate environments. An EKCM system can provide measurable improvements in operational efficiency, system uptime, compliance measurement, audit readiness and overall data security. Learn more.

11. Deploy a backup, cloud-based DDoS Mitigation Service - In the last couple of years we’ve seen an increase in the number of Distributed Denial of Service attacks due in part to hacktivist activities, and a dramatic increase in the size of DDoS attacks. On premise DDoS appliances can protect web servers but do not protect the enterprise’s communications pipes. In addition, most organizations that are using a cloud-based DDoS Mitigation Service, rely on one of the two major services. This represents Concentration Risk. A secondary service designed specifically for back-up can reduce this risk. Learn more.

12. Deploy a non-signature-based endpoint malware detection control - At this point in time, it’s clear that traditional signature-based endpoint malware detection controls are no longer able to detect the majority of threats generated by attackers. A another endpoint malware detection control that resides in the application space simply increases the attack surface, i.e. it can be detected and disabled by the attacker. Therefore the new control must reside in the operating system kernel to be undetectable by attackers. Second, the behavior analysis portion of the control must be done off the endpoint lest performance be impacted. Learn more.

Monday, April 28, 2014

Questions asked by Bastille Linux and sensible defaults suggested

There are about 26 questions asked by Bastille linux when you run "$bastille -c" in the order below:-


  1. Q: Would you like to set more restrictive permissions on the administration utilities? [N]
  2. Q: Would you like to disable SUID status for mount/umount?[Y]
  3. Q: Would you like to disable SUID status for ping? [Y]
  4. Q: Would you like to disable SUID status for at? [Y]
  5. Q: Would you like to disable SUID status for usernetctl? [Y]
  6. Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
  7. Q: Would you like to enforce password aging? [Y]
  8. Q: Do you want to set the default umask? [Y]
  9. Q: What umask would you like to set for users on the system? [077]
  10. Q: Should we disallow root login on tty's 1-6? [N]
  11. Q: Would you like to password-protect the GRUB prompt? [N]
  12. Q: Would you like to password protect single-user mode? [Y]
  13. Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N]Not recommended for most users
  14. Q: Would you like to display "Authorized Use" messages at log-in time[Y]
  15. Q: Who is responsible for granting authorization to use this machine?
  16. Q: Would you like to put limits on system resource usage? [N]
  17. Q: Should we restrict console access to a small group of user accounts? [N]
  18. Q: Would you like to add additional logging? [Y]
  19. Q: Do you have a remote logging host? [N]
  20. Q: Would you like to set up process accounting? [N]
  21. Q: Would you like to deactivate NFS and Samba? [Y]
  22. Q: Would you like to deactivate the HP OfficeJet (hpoj) script on this machine?[Y]
  23. Q: Would you like to deactivate the ISDN script on this machine?[Y]
  24. Q: Would you like to install TMPDIR/TMP scripts? [N]->[Y]
  25. Q: Would you like to run the packet filtering script? [N]
  26. Q: Are you finished answering the questions, i.e. may we make the changes?[Y]


Once you answer yes [Y] to the last question, bastille linux will make the appropriate modifications to the system. Additionally, you can run a report using command

$sudo bastille --report

and the reports will be stored under /var/log/Bastille/Assessment/assessment-report.txt. It also contains a net score of how hard the system is, e.g. 8.87/10 based on the options you have chosen for the questions it prompted.


Installing Bastille linux for hardening your OS on base AMI

Bastille linux (http://bastille-linux.sourceforge.net/) is a nice package that hardens your system through a set of questions and configuration scripts. It has dependency on "perl-Tk" package as well as "perl-Curses". You can install the dependencies through package manager if available, else you can use rpm tarball approach. For e.g., for RHEL 6.5, you can do the below:-


  1. $sudo rpm -Uvh http://pkgs.repoforge.org/perl-Tk/perl-Tk-804.028-2.el6.rf.x86_64.rpm
  2. $sudo rpm -Uvh http://pkgs.repoforge.org/perl-Curses/perl-Curses-1.28-1.el6.rf.x86_64.rpm
Once you have installed the above packages, you can install Bastille linux as below:-


  • $wget http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.0.9/Bastille-3.0.9.tar.bz2
  • $tar -xjvf Bastille.tar.bz2
  • $cd Bastille && ./Install.sh
To run Bastille linux in console mode, you can run "$bastille -c"

grep command to determine which uid's and gid's they are part of

$grep -o '^[^:]*' /etc/passwd |xargs -L1 id

uid=0(root) gid=0(root) groups=0(root)
uid=1(bin) gid=1(bin) groups=1(bin),2(daemon),3(sys)
uid=2(daemon) gid=2(daemon) groups=2(daemon),1(bin),4(adm),7(lp)
uid=3(adm) gid=4(adm) groups=4(adm),3(sys)
uid=4(lp) gid=7(lp) groups=7(lp)
uid=5(sync) gid=0(root) groups=0(root)
uid=8(mail) gid=12(mail) groups=12(mail)
uid=10(uucp) gid=14(uucp) groups=14(uucp)
uid=99(nobody) gid=99(nobody) groups=99(nobody)
uid=81(dbus) gid=81(dbus) groups=81(dbus)
uid=69(vcsa) gid=69(vcsa) groups=69(vcsa)
uid=32(rpc) gid=32(rpc) groups=32(rpc)
uid=173(abrt) gid=173(abrt) groups=173(abrt)
uid=38(ntp) gid=38(ntp) groups=38(ntp)
uid=499(saslauth) gid=76(saslauth) groups=76(saslauth)
uid=89(postfix) gid=89(postfix) groups=89(postfix),12(mail)
uid=68(haldaemon) gid=68(haldaemon) groups=68(haldaemon)
uid=74(sshd) gid=74(sshd) groups=74(sshd)
uid=72(tcpdump) gid=72(tcpdump) groups=72(tcpdump)
uid=16(oprofile) gid=16(oprofile) groups=16(oprofile)

Adding a simple banner when you ssh into the machine

If you would like to display a simple message when users ssh into a machine, then you will have to edit the /etc/issue.net file and add your display message such as

$sudo vi /etc/issue.net
#################################################
#####   All connections are monitored and recorded         #####
#Disconnect IMMEDIATELY if you are not an authorized user!#
#################################################

After you add your custom message, you can turn on the banner in /etc/ssh/sshd_config file and enable the banner

$sudo vi /etc/ssh/sshd_config

************
# no default banner path
#Banner none
Banner /etc/issue.net
************

Next, restart sshd process

$sudo /etc/init.d/sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                               [  OK  ]

Now when you log out and log back in you will see your banner getting displayed.

Thursday, April 24, 2014

Using nmap and netcat to fingerprint a machine

At times you will run into a situation where you don't have access to a machine that is vulnerable but not sure what applications are running or who owns the machines or AWS a/c to which the machines belong to. You can use "nmap" and "nc" to identify the ports open and possibly the applications running on it. Firstly, if you know the ip address then you can do a "dig" or "host" command to determine the hostname and SOA record:-

$ dig -x 54.186.x.x

*****************
; <<>> DiG 9.7.1 <<>> -x 54.186.x.x
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58324
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;62.162.186.54.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
62.162.186.54.in-addr.arpa. 176 IN      PTR     ec2-54-186-x-x.us-west-2.compute.amazonaws.com.

;; Query time: 21 msec
;; SERVER: 10.106.x.x#53(10.106.x.x)
;; WHEN: Thu Apr 24 12:30:24 2014
;; MSG SIZE  rcvd: 107
*****************

$ host -v ec2-54-186-x-x.us-west-2.compute.amazonaws.com

*****************
Trying "ec2-54-186-x-x.us-west-2.compute.amazonaws.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14067
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ec2-54-186-x-x.us-west-2.compute.amazonaws.com. IN A

;; ANSWER SECTION:
ec2-54-186-x-x.us-west-2.compute.amazonaws.com. 6060 IN A 54.186.x.x

Received 83 bytes from 10.106.x.x#53 in 5 ms
Trying "ec2-54-186-x-x.us-west-2.compute.amazonaws.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12789
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ec2-54-186-x-x.us-west-2.compute.amazonaws.com. IN AAAA

;; AUTHORITY SECTION:
us-west-2.compute.amazonaws.com. 899 IN SOA     dns-external-master.amazon.com.
root.amazon.com. 5267 600 120 604800 900

Received 135 bytes from 10.106.x.x#53 in 66 ms
Trying "ec2-54-186-x-x.us-west-2.compute.amazonaws.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8921
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ec2-54-186-x-x.us-west-2.compute.amazonaws.com. IN MX

;; AUTHORITY SECTION:
us-west-2.compute.amazonaws.com. 899 IN SOA     dns-external-master.amazon.com.
root.amazon.com. 5267 600 120 604800 900

Received 135 bytes from 10.106.x.x#53 in 44 ms
*****************

$dig SOA +multiline ec2-54-186-x-x.us-west-2.compute.amazonaws.com

*****************
; <<>> DiG 9.7.1 <<>> SOA +multiline ec2-54-186-x-x.us-west-2.compute.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26020
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ec2-54-186-x-x.us-west-2.compute.amazonaws.com. IN SOA

;; AUTHORITY SECTION:
us-west-2.compute.amazonaws.com. 899 IN SOA dns-external-master.amazon.com. root
.amazon.com. (
                                5267       ; serial
                                600        ; refresh (10 minutes)
                                120        ; retry (2 minutes)
                                604800     ; expire (1 week)
                                900        ; minimum (15 minutes)
                                )

;; Query time: 110 msec
;; SERVER: 10.106.x.x#53(10.106.x.x)
;; WHEN: Thu Apr 24 12:39:43 2014
;; MSG SIZE  rcvd: 135
*****************

Next, you can run nmap on the machine to see the list of TCP ports open:

$nmap -v -sT 54.186.x.x

*****************
Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-24 12:51 PDT
Initiating Ping Scan at 12:51
Scanning 54.186.x.x [2 ports]
Completed Ping Scan at 12:51, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:51
Completed Parallel DNS resolution of 1 host. at 12:51, 0.05s elapsed
Initiating Connect Scan at 12:51
Scanning ec2-54-186-x-x.us-west-2.compute.amazonaws.com (54.186.x.x) [1000 ports]
Discovered open port 443/tcp on 54.186.x.x
Discovered open port 3389/tcp on 54.186.x.x
Discovered open port 21/tcp on 54.186.x.x
Discovered open port 80/tcp on 54.186.x.x
Discovered open port 9009/tcp on 54.186.x.x
Completed Connect Scan at 12:52, 59.26s elapsed (1000 total ports)
Nmap scan report for ec2-54-186-x-x.us-west-2.compute.amazonaws.com (54.186.x.x)
Host is up (0.030s latency).
Not shown: 805 filtered ports, 190 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
443/tcp  open  https
3389/tcp open  ms-wbt-server
9009/tcp open  pichat

Read data files from: /usr/bin/../share/nmap
*****************

From the open ports it seems like a windows machine that is running a webserver on port 80 and RDP connection on port 3389. Next we can try to hit the port 80 on the above machine either through a browser or other tools to see the kind of web server that is running. Typically, if web servers have been hardened correctly, they will not serve a default page or deny connections. Below, is an example using "nc" or netcat tool to send a malformed request (HTTP/3.0 instead of HTTP/1.0 or HTTP/1.1):

$nc 54.186.x.x 80

*****************
HEAD / HTTP/3.0
Connection closed by foreign host.
*****************

Hopefully, the above should give you some idea about the applications running and then perhaps get in touch with Amazon support to send an outbound email to the AWS a/c owner where that machine resides.


Wednesday, April 23, 2014

Sample Cisco ASA configuration to successfully establish VPN tunnel

Below is the sample configuration received from Amazon VPN support where a successful VPN tunnel was established:-

******************
ASA Version 8.4(1)
!
hostname ciscoasa
enable password * encrypted
passwd * encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.x.x 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.x.x 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network obj_SrcNet
 subnet 0.0.0.0 0.0.0.0
object network obj-Amzn
 subnet 10.0.x.x 255.255.0.0
object network DynamicNatOut
 subnet 0.0.0.0 0.0.0.0
object network obj-test
 subnet 172.31.x.x 255.255.0.0
access-list outside_in extended permit ip host 72.21.x.x host 192.168.x.x
access-list outside_in extended permit ip host 72.21.x.x host 192.168.x.x
access-list outside_in extended permit ip host 205.251.x.x host 192.168.x.x
access-list outside_in extended permit ip host 205.251.x.x host 192.168.x.x
access-list acl-amzn extended permit ip any object obj-Amzn
access-list acl-test extended permit ip any 172.31.x.x 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap debugging
logging facility 21
logging host outside *.*.*.*
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj_SrcNet obj_SrcNet destination static obj-test obj-test
nat (inside,outside) source static obj_SrcNet obj_SrcNet destination static obj-Amzn obj-Amzn
!
object network DynamicNatOut
 nat (inside,outside) dynamic interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1387
sla monitor 1
 type echo protocol ipIcmpEcho 10.0.x.x interface outside
 frequency 5
sla monitor schedule 1 life forever start-time now
sla monitor 3
 type echo protocol ipIcmpEcho 10.0.x.x interface outside
 frequency 5
sla monitor schedule 3 life forever start-time now
sla monitor 5
 type echo protocol ipIcmpEcho 172.31.x.x interface outside
 frequency 5
sla monitor schedule 5 life forever start-time now
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set transform-test esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df outside
crypto map amzn_vpn_map 1 match address acl-amzn
crypto map amzn_vpn_map 1 set pfs
crypto map amzn_vpn_map 1 set peer 72.21.x.x 72.21.x.x
crypto map amzn_vpn_map 1 set ikev1 transform-set transform-amzn
crypto map amzn_vpn_map 2 match address acl-test
crypto map amzn_vpn_map 2 set pfs
crypto map amzn_vpn_map 2 set peer 205.251.x.x 205.251.x.x
crypto map amzn_vpn_map 2 set ikev1 transform-set transform-test
crypto map amzn_vpn_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 201
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 10.10.x.x-10.10.x.x inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 72.21.x.x type ipsec-l2l
tunnel-group 72.21.x.x ipsec-attributes
 ikev1 pre-shared-key *
 isakmp keepalive threshold 20 retry 5
tunnel-group 72.21.x.x type ipsec-l2l
tunnel-group 72.21.x.x ipsec-attributes
 ikev1 pre-shared-key *
 isakmp keepalive threshold 20 retry 5
tunnel-group 205.251.x.x type ipsec-l2l
tunnel-group 205.251.x.x ipsec-attributes
 ikev1 pre-shared-key *
 isakmp keepalive threshold 20 retry 5
tunnel-group 205.251.x.x type ipsec-l2l
tunnel-group 205.251.x.x ipsec-attributes
 ikev1 pre-shared-key *
 isakmp keepalive threshold 20 retry 5
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email test@xyz.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:*
: end
******************

Also, please make sure the following command is enabled on the ASA to allow for ICMP traffic which is what the SLA monitor uses.

icmp permit any outside

Wednesday, April 16, 2014

Establishing site-to-site VPN from Amazon VPC to Cisco ASA device running in datacenter

If you are attempting to establish site-to-site VPN between your Amazon vpc to your Cisco ASA device in your data center, then you would need the below information


  • Determine whether you will be using static routing or use dynamic using Border Gateway Protocol (BGP).
  • If you are using BGP, you will need ASN number unique when you create the customer gateway as below:-
  • If you are using static routing, then you will need the publicly addressable ip address of your Cisco ASA device that you can set in your customer gateway (CGW) information:-


  • Next you will need to know the subnet CIDR range from the data center that is behind the Cisco ASA that will need access to EC2 instances running in your VPC. e.g. 10.128.44.0/24 (Please note that is recommended that subnet CIDR block is different from CIDR block of your VPC)
Once you have all of the above information, you can follow the steps below:-

  1. Create a Virtual Private Gateway (VPG) and attach it to your VPC using vpc id:-

    2.  Create a Customer Gateway (CGW) and attach it yo the VPG that you created in the above step. In the CGW, enter the static ip of the Cisco ASA device.

    3. Next create a VPN connection per subnet in your data center that you want to publish to your VPC


4. Once you have configured your VPG, CGW and VPN, you can download configuration:


5. In your VPC "route tables", make sure "route propagation" is enabled for the main route table or secondary route table or both depending on the instance that you want to access the VPN tunnel:


6. Also, add the customer's subnet ip cidr to the VPN static routes:-




7. Next work with your data center team on the Phase 1, Phase 2 and PSK properties specified in this configuration file that is needed for your Cisco ASA device. 

8. Test the VPN connection by bringing up a machine in the subnet behind the ASA device and try connecting to an instance in the AWS VPC.

9. If Tunnels are successfully established, you will see one of them as "up" below:-




Tuesday, April 15, 2014

Use nmap to determine whether a port on the cloud instance is open

Typically, if you run into ssh problems on a EC2 instance, you may want to run "nmap" utility to determine if the port is in "filtered", "open" or "closed" state as below:-

$nmap <ec2 instance address> -p 2222 -P0 (Port in "open" state)



$nmap <ec2 instance address> -p 25 -P0 (Port in "filtered" state)


$nmap <ec2 instance address> -p 22 -P0 (Port in "closed" state)


Saturday, April 12, 2014

Patching Openssl "heartbleed" vulnerability

The correct way to patch your server will be to follow your OS vendor's recommendations. First determine the version of openssl installed:

$openssl version -a
OpenSSL 1.0.0-fips 29 Mar 2010
built on: Mon Oct 31 10:18:42 EDT 2011
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DL
FCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4
 -m64 -mtune=generic -Wa,--noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOP
ENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHI
RLPOOL_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  aesni dynamic

If you are on versions below 1.0.1 or if you had compiled openssl with -DOPENSSL_NO_HEARTBEATS then you are not exposed to the vulnerability. If you determined that you have openssl 1.0.1e or 1.0.2, then you will need to patch the openssl library. You can use the package manager to update the openssl such as

$sudo yum update -y openssl

After you finish update, you can run "openssl version -a" again to see if "built on:" date is now showing "April 7th", which means you are using the latest version of 1.0.1 branch. Additionally, you can check the package that provides libssl.so.* (/usr/lib64) using rpm query

$rpm -q --provides openssl |grep libssl
libssl.so.10()(64bit)
libssl.so.10(OPENSSL_1.0.1)(64bit)
libssl.so.10(OPENSSL_1.0.1_EC)(64bit)
libssl.so.10(libssl.so.10)(64bit)

you can also determine what other packages depend on this openssl library by running the below query

$rpm -q --whatrequires 'libssl.so.10()(64bit)'
sendmail-8.14.4-8.12.amzn1.x86_64
libssh2-1.4.2-1.10.amzn1.x86_64
m2crypto-0.20.2-9.10.amzn1.x86_64
wget-1.14-8.11.amzn1.x86_64
httpd-tools-2.2.26-1.1.amzn1.x86_64
openssl-1.0.1e-37.66.amzn1.x86_64
python26-2.6.9-1.46.amzn1.x86_64
mysql55-libs-5.5.36-1.44.amzn1.x86_64
mysql51-libs-5.1.73-3.69.amzn1.x86_64
php-cli-5.3.28-1.5.amzn1.x86_64
mysql51-5.1.73-3.69.amzn1.x86_64
perl-Net-SSLeay-1.55-1.8.amzn1.x86_64
ruby18-libs-1.8.7.374-2.42.3.amzn1.x86_64
perl-DBD-MySQL-4.023-2.16.amzn1.x86_64
mysql51-server-5.1.73-3.69.amzn1.x86_64
php-5.3.28-1.5.amzn1.x86_64
php-mysql-5.3.28-1.5.amzn1.x86_64

Now you can determine what packages need restart after updating the openssl library by running the below commands:

$sudo lsof | grep libssl.so | grep '\<DEL\>'

OR

$sudo grep libssl.so /proc/*/maps | grep '(deleted)$' | cut -d/ -f3 | sort -u | xargs -r -- ps u

If the above doesn't return any results, then no service needs restart, else if you have services like "postfix" or "httpd", you can restart them by

$sudo service postfix restart
$sudo service httpd restart

Thursday, April 10, 2014

Follow vendor recommendations on Openssl Heartbleed vulnerability

In order to mitigate the security risk imposed by Openssl "heartbleed" vulnerability, follow the below vendor recommendations where applicable instead of downloading Openssl 1.0.1g from source and compiling it only to find that it breaks package management on the Amazon EC2 instances.

Nginx:-

http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/

Apache:-

https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed

RHEL + CentOS instances:-

https://access.redhat.com/site/solutions/781793

Amazon Linux instances (NAT + ELB):-

https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/

Ubuntu instances:-

http://www.ubuntu.com/usn/usn-2165-1/

Wednesday, April 9, 2014

On some RHEL or CentOS machines, when you do a "yum update" you might see the error - "Error: database disk image is malformed"

It is possible that due to some reason the yum repository got corrupted or cache was not cleaned in previous update cycle. In which case, you can get over the problem by running the below set of commands:-

 $sudo yum clean all
 $sudo yum clean metadata
 $sudo yum clean dbcache
 $sudo yum makecache

After you do the above, you could now try running "yum update" on the package you need

 $sudo yum update -y openssl

Sunday, April 6, 2014

locking the terminal in Ubuntu while you are away from desk

Many times we walk away from the desk for various reasons and you want to lock the terminal just like we lock UI screens like "xlock" or "Ctrl-Alt-Del" combination. In ubuntu, there is a simple program that allows you to do the same to a terminal window. It is called "away". You can install it as below:

$sudo apt-get install away

Once you install, you can invoke the terminal lock using

$away -C "gone for coffee"

After you return, it you can press "Enter" and it will prompt you for password.


Saturday, April 5, 2014

How to Install Elementary OS on a non-pae system

If you would like to install Elementary OS on an older machine (non-pae - no physical address extension), then you would have to follow the below steps:


  1. Install Ubuntu 12.04 LTS server from the ubuntu download server - ubuntu 12.04 LTS
  2. From the above iso install choose "base system install" option
  3. After installing the server and logging in, run $sudo apt-get update to make sure pkgs are updated.
  4. $sudo add-apt-repository -y ppa:elementary-os/stable
  5. $sudo add-apt-repository -y ppa:elementary-os/os-patches
  6. $sudo apt-get update
  7. $sudo apt-get install -y elementary-desktop
  8. $sudo reboot

Ubuntu "add-apt-repository" command missing?

If you are running a minimal version of Ubuntu Server and you need to use "add-apt-repository" command in lieu of editing /etc/apt/sources.list.d or /etc/apt/sources.list file manually, you would have to install two packages:-

1. $sudo apt-get install software-properties-common
2. $sudo apt-get install python-software-properties

Tuesday, April 1, 2014

DNS flush on clients to view sites after domain updates

If you have a site that is hosted on Amazon Route53 and you have updated the record set to point to a new instance, then sometimes you will have to perform a dns flush on client in order for the site to be refreshed

On windows machines, you can execute:

******************
C:\Users>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.
******************

On Mac OS, you can execute:

******************

$sudo dscacheutil -flushcache

******************

On Linux OS, you can execute:

******************
$sudo /etc/init.d/nscd restart

OR

$service nscd restart

******************

Simple script that backs up logs to a timestamp based folder

In the script that you could run as a cron job, you can create a folder name date and time and then back the logs to that folder. Subsequently, you could augment the script to tar and gzip the file and upload to an s3 bucket:-

$cat simplebackup.sh
_now=$(date +"%m_%d_%Y")
_dir="./backup_$_now"
mkdir $_dir
mv nohup_* $_dir
mv /opt/logs/* $_dir
rm -rf nohup_*
rm -rf /opt/logs/*

To see if the backup script executed you can look at "crontab -l" and then "/var/log/cron".