Hardening SSHD for Security

linux-logo-300x300

The secure shell daemon should be hardened to prevent unauthorised access before being put into a production environment or exposed to the internet.

1. Verify the /etc/ssh/sshd_config file contains the following lines and that they are not commented out:

Protocol 2
IgnoreRhosts yes
HostbasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
AllowTcpForwarding no (unless needed)
X11 Forwarding no (unless needed)
AllowUsers <username1> <username2> (Optional)
DenyUsers <username1> <username2> (Optional)

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Setting up Observium

observium_logo

What is Observium?

Observium is an autodiscovering SNMP based network monitoring platform written in PHP which includes support for a wide range of network hardware and operating systems including Cisco, Windows, Linux, HP, Dell, FreeBSD, Juniper, Brocade, Netscaler, NetApp and many more.  Observium has grown out of a lack of network monitoring platforms which are both simple to manage and pleasant to use. It is intended to provide a navigable interface to the health and performance of your network. Its design goals include collecting as much historical data about devices as possible, using as much auto-discovery as possible with little or no manual intervention, and having a very intuitive interface.
Observium is not intended to replace an up/down alerting system like Icinga or Nagios, but rather to complement it with an easy to manage, intuitive representation of historical and current performance statistics, configuration visualisation and syslog capture.

Assumptions

  • A working base install of Linux Debian 7 Wheezy or Ubuntu 12.04 LTS or Ubuntu 13.04
  • UDP port 161 open between the Observium Debian 7 server and the end devices
  • Aptitude sources configured correctly
  • Unrestricted root access

Installing Observium

http://www.observium.org/wiki/Debian_Ubuntu_Installation

1. Update and upgrade

apt-get update && apt-get -y upgrade

2. Install packages required

apt-get install -y libapache2-mod-php5 php5-cli php5-mysql php5-gd php5-snmp php-pear snmp graphviz php5-mcrypt php5-json subversion mysql-server mysql-client rrdtool fping imagemagick whois mtr-tiny nmap ipmitool python-mysqldb

Optional: If you want to monitor libvirt Virtual Machines

apt-get install libvirt-bin

3. Create a folder for Observium to live in

mkdir -p /opt/observium && cd /opt

4. Download the community version of Observium

wget http://www.observium.org/observium-community-latest.tar.gz

5. Extract Observium

tar zxvf observium-community-latest.tar.gz

6. Change to Observium installation directory

cd observium

7. Copy the default configuration file and modify to your system

cp config.php.default config.php

Note: The only real change you need to make is to the “$config[‘db_pass’] = ” field unless you are installing the database elsewhere with a different database name.

8. Create the Observium database

$mysql -u root -p
mysql> CREATE DATABASE observium;
mysql> GRANT ALL PRIVILEGES ON observium.* TO 'observium'@'localhost' IDENTIFIED BY '<observiumdb password>';
mysql> quit;

9. Update the Observium config.php file and change the username and password fields

vi /opt/observium/config.php

9. Setup the MySQL database and insert the default schema

php includes/update/update.php

It’s OK to have some errors in the SQL revisions up to 006

10. Create  the directory to store RRDs in

mkdir rrd
chown www-data:www-data rrd

11. If the server will only be running Observium, change the /etc/apache2/sites-available/default to:

<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /opt/observium/html
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /opt/observium/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerSignature On
</VirtualHost>

Alternatively you can create a vhost just for Observium

12. Enable mod_rewrite for Observium’s cleaner URLs:

a2enmod rewrite
apache2ctl restart

13. Add the first user (Level 10 for Admin)

cd /opt/observium
./adduser.php <username> <password> <level>

14. Add the first device (even if you haven’t configured it yet)

./add_device.php <hostname> <community> v2c

15.  Do an initial discovery and polling run to populate the data for the new device

./discovery.php -h all
./poller.php -h all

16. Create cron jobs, create a new file /etc/cron.d/observium with the following contents

Important Note: Please note that the below example includes a username, so will only work in /etc/crontab or /etc/cron.d/observium. It will not work in a user crontab edited with crontab -e

33 */6 * * * root /opt/observium/discovery.php -h all >> /dev/null 2>&1
*/5 * * * * root /opt/observium/discovery.php -h new >> /dev/null 2>&1
*/5 * * * * root /opt/observium/poller-wrapper.py 1 >> /dev/null 2>&1

17. Connect to the web console by going to a browser and typing “http://serveripaddress”

Observium Login

Geotagging

For a list of locations for geo-tagging your servers on to the Observium map, please refer to this link:

https://developers.google.com/adwords/api/docs/appendix/geotargeting

Manual Configuration Settings

To set some manual settings in Observium you will need to edit the config.php file and insert the $config lines that you require. A reference of the configuration lines you can insert: http://www.observium.org/docs/config_options/

vi /opt/observium/config.php

Configuring Microsoft Windows 2008 Server SNMP Agent

1. Open Server Management

2. Right click on “Features” and click on “Add Features”

3. Expand “SNMP Services” and select “SNMP Service” click Next

4. Click Install

5. Close Server Manager

6. Open Server Manager

7. Expand Configuration and select Services

7. Select SNMP Service, right click and select properties

8. Select the “Agent” tab

9. Type the contact name responsible for this server or email address

10. Type the location eg, Sydney,Australia

11. Tick the following

  • Physical
  • Datalink and subnetworkSNMP Trap Service - Agent

12. Select the “Traps” tab

13. Type in the community string you are using in your environment and select “Add to list”

14. Click “Add”

15. Type the IP of the Observium ServerSNMP Trap Service - Traps

16. Select “Security” tab

17. Ensure “Send authentication trap” is ticked

18. Click “Add” under “Accepted community names”

19. Select “READ CREATE” under Community rights

20. Enter your community string under Community Name

21. Select “Accept SNMP packets from these hosts”

22. Select “Add” and type the IP address of the Observium Server

You can also put in the FQDN of the Observium serverSNMP Trap Service - Security23. Add your server into the Observium Web Console

Configuring SNMP on Linux Debian, Ubuntu or Redhat

1a. Install Net-SNMP on Debian/Ubuntu

apt-get install snmpd

1b. Install Net-SNMP on Redhat

yum install net-snmp

2a. Make sure the SNMPDOPTS line in /etc/default/snmpd looks like this on Ubuntu or Debian

SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -p /var/run/snmpd.pid'

2b. Make sure the OPTIONS line in /etc/sysconfig/snmpd looks like this on Redhat

OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd.pid"

3. Replace the default /etc/snmp/snmpd.conf file with something like this, changing the community, location and contact fields

com2sec readonly default <COMMUNITY>
group MyROGroup v1 readonly
group MyROGroup v2c readonly
group MyROGroup usm readonly
view all included .1 80
access MyROGroup "" any noauth exact all none none
syslocation <LOCATION>
syscontact <CONTACT>
#This line allows Observium to detect the host OS if the distro script is installed
extend .1.3.6.1.4.1.2021.7890.1 distro /usr/bin/distro

4. Get the Observium ‘distro’ script to identify your distribution via SNMP

cd /tmp
wget http://www.observium.org/svn/observer/trunk/scripts/distro
mv distro /usr/bin/distro
chmod 755 /usr/bin/distro

5. Restart SNMPD

/etc/init.d/snmpd restart

6. Add the host to your Observium Web Console

Configuring SNMP on Cisco IOS

In this example I will be using IPv4 Only named ACL’s which is a standard set up these days.

1. Shell into the Cisco console

2. Elevate to privileged mode

enable

3. Enter global configuration mode

configure terminal

4. Create named access list

ip access-list standard SNMPv4

5. Allow Observium server IP address

permit <ipaddress>
exit

6. Configure community string (change <community> to the community string in your environment)

snmp-server community <community> RO SNMPv4

7. Globally enable SNMP ifindex persistence

snmp-server ifindex persist

8. Set SNMP device location

snmp-server location Sydney,Australia

9. Set SNMP owner

snmp-server contact Chris
Cisco SNMP Setup Commands

Configuring SNMP Trap Settings on VMware ESX

Please refer to the following chrisreeves.co.nz article

Cisco File Copy from Flash to TFTP

cisco_logo-1000px

Assumptions:

  • A working TFTP server
  • No restrictions for UDP packets to be sent from Cisco device to TFTP server (port 69)

Procedure:

TFTP Server

1. Create a file on the TFTP server

touch <filename>

2. Change the permissions

chmod 777 <filename>

Cisco Device

3. Copy the file from the Cisco device

copy flash:<filename> tftp
enter ip address of tftp server
enter name of file created in step 1

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Putty Command Line Switches

logo_putty

I’ve put together a few common command line switches as a reference as they seem to be hard to come by on the internet currently.

Download the latest version of Putty from here

Specify Login

-l

Specify Password

-pw:

Specify Port Number

-P

Specify and Turn on X11 Forwarding

-X

-x:localhost:0

Specify SSH Private Key

-i:

Execute Command

-m file.txt

Increase Verbosity

-v

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Configuring Apache vhosts on Apache 2

apache-logo

Virtual hosts are used to run more than one domain off a single IP address. This is especially useful to people who need to run several sites off one virtual private server. There is no limit to the number of virtual hosts that can be added to a VPS.

Assumptions

The following assumptions will be observed

  • You have a working Linux Debian Wheezy
  • You have installed Apache2
  • You have root privileges
  • You have a valid domain

Domain A Records

Before you start doing anything you need to change the A record on the domain to point to the public IP address of the server you are setting up. If the server is behind a router you might have to configure port forwarding and firewall rules.

It will take up to 24 hours to replicate your domain A records around the internet depending on the TTL.

Configuring Apache 2 vhosts

I recommend creating a “vhosts” folder within /var/www as it will give an indication vhosts are being used

mkdir /var/www/vhosts

Now create the site folder, I recommend calling the folder the same as the domain name

mkdir /var/www/vhosts/example.com

Now create the configuration file, change “example.com” to the domain you are using

vi /etc/apache2/sites-available/example.com

Put the following in the file, change example.com to the domain you are using

<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/vhosts/example.com
<Directory /var/www/vhosts/example.com>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
</Directory>
ErrorLog /var/log/apache2/example.com-error.log
CustomLog /var/log/apache2/example.com-access.log combined
</VirtualHost>

Create the log files

touch /var/log/apache2/example.com-error.log
touch /var/log/apache2/example.com-access.log

Active the host by running the following command

a2ensite example.com

Restart Apache2

/etc/init.d/apache2 restart

Optional: Create index.html in the /var/www/vhosts/example.com

vi /var/www/vhosts/example.com/index.html

Paste the following into index.html

<html>
<head>
<title>www.example.com</title>
</head>
<body>
<h1>www.example.com is working</h1>
</body>
</html>

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

PHP Test Script

php

 

To see whether PHP is running on the web server, you can create a simple script which will self generate a page full of PHP information.

It will give you the following information:

  • System information
  • Build date
  • Server API
  • Virtual directory support
  • Path to PHP.ini
  • Additional configuration files
  • Additional used configuration files
  • Others….

Simply create a file called “info.php” with the following code:

<?php
phpinfo();
?>

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Openfiler Syslog Errors “iscsi_trgt”

openfiler-logo

I have Openfiler 2.99.2 running on VMware ESX 5.1 and noticed syslog errors –

month day 00:00:00 openfiler kernel: [45189.253028] iscsi_trgt: scsi_cmnd_start(1035) Unsupported 93
month day 00:00:00 openfiler kernel: [45189.253102] iscsi_trgt: cmnd_skip_pdu(457) 1a2e0d00 1c 93 512
month day 00:00:00 openfiler kernel: [45488.730405] iscsi_trgt: scsi_cmnd_start(1035) Unsupported 93
month day 00:00:00 openfiler kernel: [45488.730476] iscsi_trgt: cmnd_skip_pdu(457) 88d0e00 1c 93 512

After a bit of research I came up with the following from VMware:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1033665

From the article:

This article provides steps to disable the vStorage APIs for Array Integration (VAAI) functionality in ESXi/ESX. You may want to disable VAAI if the storage array devices in the environment do not support the hardware acceleration functionality or are not responding correctly to VAAI primitives.

Disable VAAI using the vSphere Client

  1. Open VMware vSphere Client
  2. In the inventory pane, select the ESXi host
  3. Click the Configuration tab
  4. Under Software, click Advanced Settings
  5. Click DataMover
  6. Change the DataMover.HardwareAcceleratedMove setting to 0
  7. Change the DataMover.HardwareAccleratedInit setting to 0
  8. Click VMFS3
  9. Change the VMFS3.HardwareAcceleratedLicking setting to 0
  10. Click OK to save your settings

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Reset a Cisco Router to Factory Default Settings

cisco_logo-1000px

There are currently two ways to reset a Cisco router or switch to factory default.

Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_tech_note09186a00802017a1.shtml

Method 1

This method uses the config-register 0x2102 command in global configuration mode.

enable
configure terminal
config-register 0x2102
end
write erase
reload
<do not save>

Method 2

This method uses the config-register 0x2142 command in global configuration mode.

enable
configure terminal
config-register 0x2142
reload
<do not save>
enable
configuration terminal
config-register 0x2102
write memory
reload

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.