NRPE and check_nt: wrong RAM amount in Windows

NSClient++ is used for monitoring Windows hosts both in Nagios and Icinga systems. The other day I found an interesting issue: NSClient++ agent shown wrong amount of RAM, more precisely it doubled it. I used check_nt plugin  for connecting to Windows agent. I suppose that it also counts the pagefile.sys file together with physical memory. Unfortunatelly I didn't find a way to correct it using check_nt, however it is possible with check_nrpe. NRPE allows to bypass more arguments to the agent and specify exactly what type of memory to check.
Here is an example:
First enable NRPE in agent configuration file nsclient.ini [/modules] section:
NRPEServer = 1

Next, enable NRPE arguments in [/settings/NRPE/server] section:
allow arguments = true

Restart the service. Now we can test from our Nagios/Icinga host:

check_nrpe -H 10.0.0.1 -p 5666 -c CheckMEM -a MaxWarn=80% MaxCrit=90% ShowAll type=physical

In addition, I found information on NSClient++ site, that "NRPE is the preferred way over NSClient (check_nt) and you get the most out of NSClient++ choosing this mode."

It seems strange to me that both Nagios and Icinga use check_nt in their documentation.

CIFS

Free, online, detailed book on CIFS protocol suite:
http://ubiqx.org/cifs/

New certification path

I have been thinking for quite a long time what certification to choose for preparation. Finally, I have decided that CCNP Security will be the best choice. Despite it consists of 4 exams instead of 3 in CCNP R&S I consider it suites me better. Security is my cup of tea :)
The main obstacle is that I need Cisco ASA for studying and I wouldn't like to spend money on it. Luckily, I managed to virtualize it in GNS3. To accomplish this I used the following great guide: http://www.xerunetworks.com/2012/02/cisco-asa-84-on-gns3/
All necessary books are available on Amazon, but I still haven't chosen what exam will be the first, probably Secure(642-637) or Firewall(642-618).

Checking IPSec encryption settings with ike-scan

If it is required to check what encryption and authentication is supported by IPSec service, ike-scan utility can be used.
First we can launch it with default settings:

ike-scan -M 10.10.10.1

This command will try 8 default most popular transform sets.
If you get

notify message 14 (NO-PROPOSAL-CHOSEN)

Then non of default TS matched.
In this case you can try to change authentication method and add --auth 3 option, which means RSA signature instead of default pre-shared keys.
Moreover you can exactly configure entire transform set with --trans option:

ike-scan -v --trans=1,2,3,1 10.10.10.1

The first figure means ecnryption type, the second hash type, the third authentication type and the fourth Diffie-Hellman group.
Tables of possible values and all other information are available in the User's Guide

Text tools in Linux

Here is the list of essential Linux text tools with short description of their functions

• cat - shows file in standard output
• tac - shows file in standard output in reverse order
• join - combines files by field
• paste - merges files line by line
• expand - converts tabs to spaces
• od - dump files in octal and other formats
• sort - sort text files, sing fields(symbolic or numerical)
• split - splits files to pieces by bytes or by number of lines.
• tr - translate or delete characters
• unexpend - convert spaces to tabs
• uniq - delete duplicate lines
• fmt - simple text formatter, for example it splits long lines.
• nl - number lines in a file
• pr - convert text files for printing.
• head - shows the beginning of the file.
• tail - shows some from the end of the file.
• less - text file reader.
• cut - remove sections from each line of files
• wc - counts lines, bytes and words
• sed - stream editor
• grep - print lines matching a pattern
• egrep - grep with activated(-E option) extended regular expressions
• fgrep - fixed-string grep

And here are the main Vi commands

Command mode:

• p - paste text
• 3yy - copy 3 lines
• 3dd - delete 3 lines
• u - undo
• h,j,k,l - move cursor
• o - insert new line and enter insert mode
• i - enter insert mode before cursor
• R - enter insert mode for text replacement
• a - append text after cursor
• / - search forward
• ? - search backward
• c - change text
• G - goes to specified line
• :%s/original/replacement - replace globally
• Ctrl+F - move one screen ahead
• Ctrl+B - move one screen back
• Ctrl+D - go down half screen
• Ctrl+U - go up half screenExec mode:
• e or e! - edit another file
• r - include file
• ! - execute external command
• q - quit
• w - save
• ZZ - save and exit

Tips
To translate Windows/Dos text file, where CR+LF are the end of the line, to Linux text file, where LF is the end of a line, tr program can be used:

tr -d '\r' < input_file > output_file

Change maximum file size for upload in Mantisbt

Let us imagine you need to upload large files into Mantis. For instance we will set a 40Mb limit.
First of all you need to change configuration option in Mantis itself:
$g_max_file_size = 40000000;

Then we change PHP variables:
upload_max_filesize = 40M
post_max_size = 40M

And at last it is necessary to change configuration of MySQL if you use it as a storage for files:
max_allowed_packet= 40M

After all these changes you will see the maximum file size in Report Issue page:
Upload File (Maximum size: 40,000k)

And do not forget to adjust max packet option for MySQLdump:

[mysqldump]
max_allowed_packet = 40M

Or your database backups will fail.

Where old Debian repositories are stored?

In archive :)
Example for Lenny:
deb http://archive.debian.org/debian/ lenny main non-free contrib
deb-src http://archive.debian.org/debian/ lenny main non-free contrib
# Security:
deb http://archive.debian.org/debian-security/ lenny/updates main contrib non-free
deb-src http://archive.debian.org/debian-security/ lenny/updates main contrib non-free
# Volatile:
deb http://archive.debian.org/debian-volatile lenny/volatile main contrib non-free
deb-src http://archive.debian.org/debian-volatile lenny/volatile main contrib non-free
# Backports:
deb http://archive.debian.org/debian-backports lenny-backports main contrib non-free

CCNA Security is done

Well, yesterday I successfully passed CCNA Security exam(640-553). Literally some weeks before a new version of this exam 640-554 was released. I had no time to prepare for this version, so I did not even consider it. Exam was not very difficult, however I learned a lot of new stuff. 60 questions,  2,5 hours.
For preparation I used 3 books: CCNA Security by Neil Edde, CCNA Security official exam certification guide by Michael Watkins and Implementing Cisco IOS Network Security by Catherine Paquet.
For lab sims I used site www.securitytut.com.
Practice tests were downloaded from   www.examcollection.com
What is next? I don't know :) In the first place some rest, I think a couple of months. And then my goal is Microsoft Certifications.

How to configure IPsec VPN on Cisco routers

IPsec is not a protocol, it's a framework for securing unicast traffic.It conssists of 3 protocols: ESP, AH(obsolete) and IKE. For multicast and broadcast GRE should be used. For negotiations(IKE) UDP port 500 is used. Encapsulating Security Payload uses IP protocol 50, Authentication Header uses IP protocol 51.  IKE Phase 1 can be established via main mode(6 messages) or aggressive mode(3 messages). During this phase peers authenticate each other, using pre-shared keys(PSK) or RSA signatures(PKI). There is only one mode - quick in Phase 2, 3 packets.
Below you can find short description of configuring IPSec in tunnel mode on router,  to configure another router you just need to change the ip addresses, everything rest is the same.
IPSec configuration consist of the following steps:

• Configure ISAKMP(IKE phase 1) protocol 
• Configure transform set, IKE protocol phase 2 
• Configure access list which determines what traffic to encrypt 
• Create crypto map 
• Apply crypto map to an interface

Configure ISAKMP policy
Here we configure policy priority, encryption, authentication, Diffie-Hellman group(it defines the size of DH modulus, that is how random will be the key, group 2 is usually used)
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash sha
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#group 2
R1(config-isakmp)#exit

Configure ISAKMP key - this key is used only for authentication, not encryption.
R1(config)#crypto isakmp key test address 10.10.0.2

Configure transform set
Here we configure transform set name, encryption and authentication.
R1(config)#crypto ipsec transform-set myset2 esp-aes 256 esp-sha-hmac

Configure access list
access-list 102 permit ip any 1.1.1.0 0.0.0.255

Configure crypto map
Here we combine transform set, access list and peer
R1(config)#crypto map map2 10 ipsec-isakmp
R1(config-crypto-map)#set peer 10.10.0.2
R1(config-crypto-map)#set transform-set myset2
R1(config-crypto-map)# match address 102

Apply crypto map to the interface
R1(config)#interface fastEthernet 1/1
R1(config-if)#crypto map map2

Check that everything works
R1#show crypto isakmp sa - check the state of Phase 1
R1#show crypto engine connections active
R1#show crypto session
R1#show crypto isakmp policy
R1#show crypto ipsec sa
R1#debug crypto isakmp
R1#debug crypto ipsec

NAT with IPSec
First NAT is processed on the outbound traffic and only then IPSec, so the traffic will not match the specified ACL. On the inbound traffic the situation is vice versa.

Multiple crypto maps
If it is required to establish connection with more than  one host, we will need multiple crypto maps. Actually, one crypto map will be used but with multiple sequence numbers, because we can apply only one crypto map to the Interface. Also we will create new access list and a new key.


IPSec configuration types
Above you can see an example of establishing IPSec tunnel using crypto maps. This the oldest but not the only one method. There are also the following types:

• VTI 
• GRE over IPSec

Checking SSL ciphers

Sometimes it is indispensably to test what ciphers are supported by SSL server. It can be done with openssl command. For example, we can try to connect to the site using LOW ciphers:
openssl s_client -connect site.com:443 -cipher LOW

To see what ciphers are included in the category:
openssl ciphers LOW -v 

Connect to service using SSLv2

openssl s_client -ssl2 -connect SERVERNAME:443

And in addition very useful link: OpenSSL Command-Line HOWTO

L2 security

VLAN hopping
Can be done via switch spoofing and double tagging. Switch spoofing means to connect rogue switch to a switch port. To avoid it we need to disable trunking:

Cat3550(config-if)# switchport mode access

And prevent use of DTP:
Cat3550(config-if)# switchport trunk encapsulation dot1q
Cat3550(config-if)# switchport mode trunk
Cat3550(config-if)# switch port no negotiate

To avoid double tagging do not use native VLAN for connecting users.

STP attacks
Root guard - if a port starts receiving a superior BPDU, all user data is stopped, after BPDUs stop, the port begins to forward packets again
SW1(config)# interface gigabitethernet 0/1
SW1(config-if)# spanning-tree guard root

BPDU guard - if a port received BPDU it is Disabled. Works with PortFast feature.
SW1(config)# interface gigabitethernet 0/2 
SW1(config-if)# spanning-tree bpduguard enable 
or in Global mode 
SW1(config)# spanning-tree port fast bpduguard

DHCP Starvation attack
Hacker sends a lot of DHCP requests from bogus MAC addresses and occupies all possible DHCP addresses. And then he will introduce his own DHCP server.

DHCP spoofing
DHCP snooping feature on Cisco Catalyst switches will help. There are two port states: trusted and untrusted.  If this feature is enabled all ports by default are untrusted. Trusted ports are allowed to receive DHCP responses, untrusted are not and they become Disabled if receive such responses.

SW1(config)# ip dhcp snooping
SW1(config)# interface gigabitethernet 0/4
SW1(config-if)# ip dhcp snooping trust 
SW1(config-if)# show ip dhcp snooping
SW1(config-if)# show ip dhcp snooping binding

DHCP DoS attack
Somebody may send tons of DHCP requests from different MAC addresses. It possible to use limits of requests per second, for instance 3:
 SW1(config)# interface gigabitethernet 0/5 
SW1(config-if)# ip dhcp snooping limit rate 3 

ARP spoofing
We can protect from this using DAI(Dynamic ARP inspection) feature.
SW1(config)# ip arp inspection vlan 10
SW1(config)# interface gigabitethernet 0/6
SW1(config-if)# ip arp inspection trust
SW1#show ip arp inspection vlan 123

Static ARP access list

arp access-list ACL_NAME

permit ip host 1.1.1.1 mac 1111.1111.1111

ip arp inspection filter ACL_NAME vlan 123

show arp access-list ACL_NAME 

Auto recovery of port

errdisable recovery cause arp-inspection

errdisable recovery interval 30 

Validate IP, source MAC and destination MAC in payload

ip arp inspection validate ip/dst-mac/src-mac

CAM table overflow attack, MAC address spoofing
You send thousands of frames to switch with bogus MAC addresses, this leads to refilling of CAM table. Then when switch gets a new frame it just sends it to all ports, because it is uknown to it. Consequently, attacker can now listen all traffic it this VLAN.
Port-security command can be used to mitigate, define maximum MAC addresses per port.
For using port security we have to explicitly configure access or trunk port.
When we configure port security for trunk port we can use details for specific vlans.
We can also use aging for port security dynamic mode.

Port security can be static, dynamic and sticky.
Sticky - dynamicly learns MAC addresses on a port and put them into static. Then we just have to save running config to startup.

Vialation actions can be
Protect - stop everything after 5 MAC addresses - no alerts, syslog messages, no SNMP - not very good variant
Restrict - the same as Protect, but with alerts
Shutdown - default action - just turns port off + alerts
Shutdown vlan

SW1(config-if)# switchport port-security maximum 5
SW1(config-if)# switchport port-security aging type inactivity
SW1(config-if)# switchport port-security aging time 5
SW1(config-if)# switchport port-security violation restrict
SW1(config-if)# switchport port-security mac-address 0000.0000.0000
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security mac-address sticky

Source guard
Protects from IP spoofing and MAC spoofing
int gig o/2
ip verify source port-security

ip source binding b827.eb51.1af6 vlan 123 10.123.0.50 interface gig 0/2
show ip verify source
show ip source binding

Storm control
Configured in interface context, we can monitor broadcast, unicast, multicast. BAsed on pps, bps, interface utilization.
storm-control broadcast level pps 500 100
strorm-control action shutdown
errdisable recovery cause storm-control
errdisable recovery interval 60
show strom-control broadcast

SAN and its numerous protocols

Preparing to CCNA Security exam I decided to research a little about SAN(Storage Area Network) technology and protocols used in it. It turned out that its is not quite simple. For years number of protocols were developed: Fibre Channel, Fibre Channel over Ethernet, Fibre Channel over IP, iSCSI. Moreover they compete with each over.
The history and the differencies are described in an interesting article: Fibre Channel vs. iSCSI: The war continues

Web site migration or copy

In this post I would like to describe a little what is worth to take into account if you to copy or migrate a web site to another server. Described web site is based on Apache, PHP and MySSQL.
First of all transfer files and database. Then give all needed rights to these files so web server can read and change them. Consider copying cron jobs if they exist.
Install the same packet collection as on the original server. I mean packets related to PHP and MySQL.
Check the PHP version, sometimes there may be significant differences between versions.
Do not forget to load the same Apache modules.

Cisco tips

Configure and enable basic authentication via local user database

R1(config)#user test password test
R1(config)#aaa new-model
R1(config)#aaa authentication login default local 

default - is the name of the list which is applied to all interfaces by default if other lists are not configured. Enable SSH connection
R1(config)#user test password test
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#Hostname test
R1(config)#ip domain-name test
R1(config)#crypto key generate rsa general-keys modulus 1024
R1(config)#ip ssh time-out 120
R1(config)#ip ssh authentication-retries 4
R1(config)#ip ssh version 2
R1(config)#ip ssh logging events
R1(config)# line vty 0 4
R1(config-line)# transport input ssh

Configure zone based firewall
create security zones > create zone pairs
configure class map > configure policy map > attach policy map to zone pair with service-policy command > attach interfaces to zones

Web site replication

Let's imagine you have a web site based on PHP and MySQL and you need to make a mirror of it, which always be synchronized. Files and folders synchronization is not an issue, rsync over ssh is a solution:
rsync --delete -avr --links --rsh="/usr/bin/ssh -l mirror -i /home/user/mirror.key" 192.168.47.11:/var/www/site /var/www
But what about MySQL? We can use embedded replication feature.
It's quite easy. First edit my.cnf of your master server and add the following:
log-bin = /var/log/mysql/mysql-bin.log
binlog-do-db=database
server-id=1
replicate-do-db = database
Then restart the server, connect to it with MySQL client and enter the following:
FLUSH TABLES WITH READ LOCK;
SHOW MASTER STATUS;

Write down the position and file, you will need it later.
Do not exit mysql to keep the tables locked. Via a new session make a dump of the base:
mysqldump --lock-all-tables database > dbdump.db
Then unlock tables: 

UNLOCK TABLES;

Create a user for replication:
CREATE USER slave@slave_ip_address IDENTIFIED BY 'slavepass';
GRANT REPLICATION SLAVE ON database.* TO slave@slave_ip_address;
Transfer dump to slave server.
Edit my.cnf on slave server:
server-id = 2
Login to mysql, enter the following:
CHANGE MASTER TO MASTER_HOST = "master_ip_address", MASTER_USER = "slave", MASTER_PASSWORD = "slavepass", MASTER_LOG_FILE = "mysql-bin.000003 ", MASTER_LOG_POS = 934325;

Of course, change file and log position to those values you have written down.
Then activate replication:
START SLAVE;

To see status of replication:
SHOW SLAVE STATUS;

P.S This is a very short description of the process. Any details are available on official MySQL site.

After configuration is over DO NOT enter the site copy via browser. If you do this, usually site engine make some changes into a slave database and MySQL replication will be destroyed.