How to Install and Configure Splunk on Linux

Splunk_Standard_Logo_Large

Splunk is a software package for sending logs from a variety of server types or devices to a centralised repository for the ability to do searching, monitoring and analyzing of big data using a web style interface console.

This Example

In this example I will be installing Splunk version 6.0 on a virtualised Linux Debian Wheezy distribution using the deb package.

Assumptions

The following assumptions are taken prior to installation:

  • A fresh copy of Linux Debian Wheezy is installed
  • Debian Wheezy is fully patched
  • A network connection is present
  • A connection can be established to the internet
  • No firewall restrictions are in place (port 8000 specifically)

Procedure

Downloading Splunk

wget -O splunk-6.0-182037-linux-2.6-amd64.deb 'http://www.splunk.com/page/download_track?file=6.0/splunk/linux/splunk-6.0-182037-linux-2.6-amd64.deb&ac=&wget=true&name=wget&platform=Linux&architecture=x86_64&version=6.0&product=splunkd&typed=release&elq=bca94a89-16b1-4f53-8e04-2424a8c7c4d1'

Installing Splunk

dpkg -i splunk-6.0-182037-linux-2.6-amd64.deb

Start Splunk

cd /opt/splunk/bin
./splunk start

Auto Start Splunk

cd /opt/splunk/bin
./splunk boot-start

Connect to Splunk

  1. Open a web browser
  2. Connect to http://<serverip>:8000
Splunk First Screen

Create Syslog Receiver

Settings > Data > Data inputs

Splunk Data Inputs

Under “TCP” click on “Add New”

Splunk Data Inputs TCP Add New

TCP Port = 514
Accept Connections from all hosts? = yes
Set sourcetype = From List
Select source type from list = syslog
Click SaveSplunk Data Inputs TCP Add New TCP 514

Do the same but set up UDP

Syslog from Cisco

In this example I am going to log absolutely everything from the Cisco device to the Splunk server. When selecting a logging level you get the log level and up so for example if I use 4 (warnings) I get logs from warnings, errors, critical, alerts and emergencies.

0 emergency
1 alerts
2 critical
3 errors
4 warnings
5 notifications
6 informational
7 debugging

configure terminal
logging trap 7
logging host [splunkip] transport tcp port 514
logging on

Rsyslog from Linux

Add the following to the end of /etc/rsyslog.conf

Change “@splunk” to the server name

# Manual entry to forward to Splunk
*.emerg @splunk
*.alert @splunk
*.crit @splunk
*.err @splunk
*.warning @splunk
*.notice @splunk
*.info @splunk
*.debug @splunk

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Poisoning ARP packets using ARP Spoof

linux-logo-300x300

ARP spoofing (also known as ARP poisoning) is a technique whereby an attacker sends fake “spoofed” Address Resolution Protocol (ARP) packets onto a Local Area Network (LAN). The purpose of this attack is to associate the attackers MAC address with the IP address of another host (such as a default gateway), causing any traffic that is meant for that IP address to be sent to the attacker instead.

ARP Spoofing may allow an attacker to intercept data frames on LAN, modify the traffic, or stop the traffic altogether. Often the attack is used as an opening for other attacks such as denial of service, man in the middle or session hijacking attacks.

The attack can only be used on networks that make use of the Address Resolution Protocol (ARP) and is limited to local network segments.

This ExampleARP Network

I will be using Linux KaliLinux version 1.0 as the attacker

Forward Linux Traffic

Should this be used as a denial of service attack you won’t need to run this, all traffic will hit the Linux box and terminate causing services not to run.

Should this be used as a man in the middle attack you will need to forward all traffic to the defined gateway

Temporarily Forward Traffic

echo "1" > /proc/sys/net/ipv4/ip_forward

Permanently Forward Traffic

vi /etc/sysctl.con
uncomment out the following line
#net.ipv4.ip_forward=1

ARP Spoofing

You should have two ARP attacks running, one against the target computer and one against the gateway for returning traffic.

arpspoof -i eth0 -t 192.168.0.2 192.168.0.254
arpspoof -i eth0 -t 192.168.0.254 192.168.0.2

Hold down Ctrl and press “C” to stop the attacks, two ARP packets will be sent after termination to set the arp table on the computer or router back to how they should be.

Warning

Only use this on devices you either own or have authorisation to use on.

Man in the Middle

  • You can use tools such as Wireshark to capture and analyse packets
  • SSL traffic needs to be stripped before viewing, you can use thee following tool SSLStrip

Conclusion

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Your Own Cloud Managed Storage with Owncloud on VMware ESX

owncloud-logo-150x74

ownCloud is a free and open-source web application for data synchronisation, file sharing and remote storage of documents (cloud storage).

ownCloud is written in PHP and javascript languages

This is a great alternative to the other storage based cloud solutions as it is a “fully manage yourself” solution. As long as you trust the host you reside the data on.

Benefits

  • Manage yourself solution
  • Cheaper than other storage based cloud providers

Security

I don’t add it to any of the steps below but you can in fact encrypt your data on the /var volume using the in built encryption methods within Linux. This can prove to be invaluable especially if you don’t know the history of the VPS you are using (if you are using a VPS). Add SSL encryption and you have quite a secure method of not only storing data on the cloud but also encrypting the transmission of the data to your devices.

Requirements

Lets look at what you need in order to get your ownCloud server up and running. There are a number of things you need, namely the hardware required. Here is a full list:

  • A spare machine to install ownCloud on
  • Enough hard drive space to fit the operating system and cloud data
  • A good quality internet connection with good upload and download speeds to help sync speeds
  • (Optional but helps) A static IP address otherwise you will need to use a dynamic IP service such as DynDNS
  • Access to your router/firewall to NAT ports to the server

This Example

In this example I will be installing ownCloud on the following:

  • VMware ESX 5.1
  • Linux Debian Wheezy (7)

You can step past the steps should you have a operating system (such as a VPS) already available.

Features

  • File storage
  • WebDAV support
  • Cryptography
  • Synchronisation of clients
    • Windows XP
    • Windows Visa
    • Windows 7
    • Windows 8
    • Mac OS X
    • Linux
  • Calendar
  • Task scheduler
  • Address book
  • Music streaming
  • Photo gallery
  • PDF viewer

Creation of Virtual Machine

Start by creating the virtual machine, enter the name belowESX - Create New Virtual Machine - Name

I am giving the guest server SSD disk to run the operation system only.

ESX - Create Virtual Machine - DiskSelect Virtual Machine Version 8 unless you need backwards compatibility to older VMware ESX host versions

ESX - Create Virtual Machine - VM VersionSelect “Linux” and select the Linux flavour, in my case I am using Debian 7 x64 but Debian 6 x64 will do.

ESX - Create Virtual Machine - Guest OSSelect processor usage, I am not expecting high load so one vCPU is sufficent

ESX - Create Virtual Machine - CPUAllocate RAM allocation, from what I have read 512MB is the minimum. I will be using 1GB.

ESX - Create Virtual Machine - RAMSelect the virtual network you wish to allocate to the virtual machine

ESX - Create Virtual Machine - NICSelect the SCSI adapter you wish to use

ESX - Create Virtual Machine - SCSICreate a new virtual disk

ESX - Create Virtual Machine - Create DiskAllocate the guest OS disk size and provisioning type, I left it at 16GB for the guest OS as it will be headless and selected thin provisioning to save allocated space and allow grow on demand

ESX - Create Virtual Machine - Disk AllocationSelect SCSI allocation, I recommend leaving as default unless you need to change for a reason

ESX - Create Virtual Machine - SCSI AllocationReview summary, if everything is okay select “Edit the virtual machine settings before completing”

ESX - Create Virtual Machine - SummarySelect floppy drive and select remove (not needed)

ESX - Create Virtual Machine - @Edit VM - Remove FloppySelect the CD/DVD Drive and browse to the distribution ISO you wish to install and click on “Connect at power on”

ESX - Create Virtual Machine - @Edit VM -Add ISO(Optional) Add a second disk, in my case I added 100GB and placed on storage disk and assigned it as Thin provisioning to save space

ESX - Create Virtual Machine - @Edit VM - Add Data Disk(Optional) Select the Options tab, click on “Memory/CPU Hotplug” and enable both Memory and CPU hotplug should you need to increase resources without powering off the server

ESX - Create Virtual Machine - @Edit VM - HotPlug Opts

Installing Operating System

Power on the virtual machine and click “Install”OwnCloud Power On

Select languageOwnCloud OS Language

Select Country

OwnCloud Country

Configure keyboard keymapOwnCloud Keymap

If DHCP is not available on the network you will be presented with the following error, select “Continue”OwnCloud DHCP

Select “Configure network manually”OwnCloud Config Network

Assign unallocated IP address, the following is just an exampleOwnCloud IP Address

Assign subnet, the following is just an exampleOwnCloud Subnet

Assign reachable gateway, the following is just an exampleOwnCloud Gateway

Assign DNS address, the following is just an exampleOwnCloud DNS

Name the server with a hostname, I recommend keeping it simple and use the name of the function of the server, such as OwnCloud

OwnCloud Hostname

Specify domain name (not really required), the following is just an example

OwnCloud Domain Name

Input a root password, use something complicated with upper case and lower case, symbols and numbers and make it at least twelve characters longOwnCloud First Root Password

Re-enter root passwordOwnCloud Second Root Password

Enter your full name, the following is just an exampleOwnCloud Full Name

Enter your desired username, the following is just an exampleOwnCloud Username

Enter the usernames passwordOwnCloud First User Pass

Re-enter the usernames passwordOwnCloud Second User Pass

Select state or provinceOwnCloud Regional

Change the selection to a manual partitioning methodOwncloud - Manual Partitioning Method

Select the Operating System disk to partition, in my example it is sdaOwncloud - Partitioning Disks

Select yes to create a new empty partitionOwncloud - Create Empty Partition

Select the partition to configureOwncloud - Config Free SpaceSelect “Create a new partition”Owncloud - Create new partition

The first partition to make is Swap, which will be set at three times the size of RAM which in my example is 3GBOwncloud - Swap Space Size

Change type to “Logical”Owncloud - Swap Space Type

Select “Use As” Owncloud - Swap Space Type Change

Select “swap area’Owncloud - Swap Space Type Change to SWAPSelect “Done setting up the partition”Owncloud - Swap Space Finalise

Select “pri/log FREE SPACE”Owncloud - Config Free Space for slash

Select “Create a new partition”Owncloud - Create new partition

Change to “max”Owncloud - Config Free Space for slash - size

Select “Primary”Owncloud - Slash Type

Select “Bootable flag”Owncloud - Slash Select Bootable

Select “Done setting up the partition”Owncloud - Slash Done

Select “sdb”Owncloud - Select sdb

Select “Yes”Owncloud - sdb Create new empty partition

Select “pri/log FREE SPACE” on sdbOwncloud - sdb Select Free Space

Select “Create a new partition”Owncloud - Create new partition

Change size to “max”Owncloud - sdb Change size

Change to “Logical”Owncloud - sdb Change Partition Type

Select “Mount point”Owncloud - sdb Select Mount Point

Select “/var”Owncloud - sdb Select VAR

Select “Done setting up the partition”Owncloud - sdb Done

Verify partition structure is the same as this example
Select “Finish partitioning and write changes to disk”Owncloud - Finish Partitioning

Select “Yes” to write changes to diskOwncloud - Write Disk Changes

Select “No” to not scan CD or DVDOwncloud - Dont scan CD

Select “Yes” to use a network mirrorOwncloud - Mirror

Select country of mirrorOwncloud - Country Mirror

Select archive mirrorOwncloud - Archive Mirror

Select “Continue” unless you require a proxy to connect to the internetOwncloud - Proxy

Select “No” to participate in the package survey

Owncloud - Survey

Unselect all packagesOwncloud - Install Packages

Select “Yes” to install GRUBOwncloud - Install GRUB

Click “Continue” to finish installationOwncloud - Finish Installation

Installing OwnCloud

There are packages that OwnCloud depends on in order to run, we will install and configure these manually.

Update

su - root
apt-get update
apt-get upgrade

Install Sudo

su - root
apt-get install sudo

Install OpenSSH

su - root
apt-get install openssh-server

Install Apache

su - root
apt-get install apache2

Install MySQL

su - root
apt-get install mysql-server mysql-client

Install PHP

su - root
apt-get install php5 libapache2-mod-php5
/etc/init.d/apache2 restart
vi /var/www/info.php
<?php
phpinfo () ;
?>

Browse to http://yourserverip/info.php
PHP Test

Install ownCloud

Create mySQL Database

apt-get install phpmyadmin

Select “apache” and click OKInstall phpmyadmin webserver

Browse to http://serverip/phpmyadminPhpmyadmin Login Page

Click on “Databases”Phpmyadmin Create DB

Type a name for the new database and click “Create”Phpmyadmin Name DB

Click on “Check Privileges” next to the database you createdPhpmyadmin Check Priv

Click “Add User”Phpmyadmin Add User

Type in the username
Check Host to “Localhost”
Type and retype the password
Click on “Grant all privileges on database <database name>
Click on “Check All”
Click on “Go” at the bottom right on the screen

Phpmyadmin Add User Details

Install ownCloud

echo 'deb http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/ /' >> /etc/apt/sources.list.d/owncloud.list
apt-get update
apt-get install owncloud

Browse to http://yourserverip/owncloud

Owncloud Admin Account
  • Drop down the Advanced
  • Change to mySQL database
  • Enter database username
  • Enter database password
  • Enter database name
Owncloud Finish Installation

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Adding disk to Linux

linux-logo-300x300I recently had to add a new virtualised disk to a VM guest without having to reboot, lucky for me it required a single disk with a single full partition.

This Example

In this example I am attaching a virtual vmdk disk to a virtual machine on VMware ESX. This is the second disk added so for this example it is /dev/sdb but this might be different for your setup if you have more than a few disks. I will also be formatting this disk as EXT3.

Note: You don’t need to install lsscsi but it is useful to see what SCSI devices are attached

  1. Add the disk (either virtually or physically)

Lsscsi to check SCSI disks

su - root
apt-get install lsscsi

lsscsi Create Partition

fdisk /dev/sdb
n
p
1
<enter>
<enter>
t
83
w

Fdisk
Format disk to EXT3

mkfs.ext3 /dev/sdb

mkfs Add Auto Mount

vi /etc/fstab
Note Only, Add to bottom of line, single tab seperate
/dev/sdb1           /mnt/disk2            ext3               noatime,acl,user,xattr 1 2
:wq
fstab

Manually Mount

mkdir /mnt/disk2
mount /dev/sdb1 /mnt/disk2

Mount
Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Change VMware ESX Scatch Config Location (.locker)

VMware_logo

Best practice for a .locker scratch folder

VMware recommends that the ESXi has a persistent scratch location available for storing temporary data including logs, diagnostic information and system swap space however it is not a absolute requirement.

Persistent scratch space may be provisioned on a FAT 16, VMFS or NFS partition accessible by the phyiscal ESXi host.

Moving .locker scratch folder location

I found a “.locker” located on a 3.5 inch storage drive instead of residing on the local SSD storage so I decided to move it. It turns out there is a .locker folder for every physical host and is configured automatically when installing VMware ESXi based on what it considers “local storage”. The process is straight forward to relocate the .locker scratch folder, you just need to know the full naa path of the storage you wish to locate it to.

  • Log into the physical host by either SSH or directly from the physical ESX host console
cd /vmfs/volumes
ls -lash

 

  • This will display the drives and the full naa path of the disk, as example below. I have removed my own data for security reasons:ESX Disk Structure
  • Copy the 32 characters relating to the disk you want to store the scratch location on
mkdir /vmfs/volumes/%new-location-32-characters%/.locker
  • Open vSphere Client
  • Change view to Home -> Hosts and Clusters
  • Select physical host on left hand side
  • Select the configuration tab on the right hand side
  • Under “Software” click on “Advanced Settings”
  • Select “ScratchConfig” on the left hand side
  • Change the “ScrarchConfiguredScatchLocation to “/vmfs/volumes/<32characters>/.locker

Restart the physical host, don’t forget to remove the old “.locker” folder that isn’t being used anymore.

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Increase Wifi Transmit Power on Linux

linux-logo-300x300

The default TX-Power of wireless is set to 20dBm but you can increase it to 30dBm but let me warn you, it might be illegal in the country you reside in so do this at your own risk. Some models will not support these settings or wireless chip may stat it “can” transmit with higher power, but the devices manufacturer probably did not place the appropriate heat sink in order to accomplish this so it either won’t work or burn your device out.

Set Transmit Power to 30

iw reg set BO
iwconfig wlan0 txpower 30

Verify Transmit Power at 30

iwconfig

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Migrating WordPress Between Platforms

Okay so you want to move WordPress from either a Microsoft IIS server running Microsoft SQL to a Linux box running Apache and MySQL or the other way around? This seems like a daunting task (as I thought initially) but as I found, it is easier than once thought.

Existing WordPress Site

  1. Log into your existing WordPress site (as Admin)
  2. Click on Tools -> Export
  3. Click on “All content”
  4. Click on “Download Export File”
  5. Take a note of the users to import into the new WordPress site (if any)
  6. Copy all files in the ./wp-content/uploads folder

Importing Data to New WordPress Site

  1. Log into your new WordPress site (as Admin)
  2. Import users from notes of old WordPress site  (if any)
  3. Go to Tools -> Import
  4. Install the “WordPress Importer” from the list
  5. Activate and run the importer
  6. Map the authors from step 2 of importing
  7. Import the files into the WordPress folder ./wp-content/uploads

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Key-based SSH Login Authentication on Linux with Putty

linux-logo-300x300

This guide describes how to generate a private and public key pair to log into a Linux server over SSH using Putty. Using key based exchange allows you to disable the normal username and password authentication procedure which increases security and removes the ability to brute force logins to the server.

Putty & Utilities

First off we need to download the following software:

Creating Public and Private Keys

  1. Open PuttyGen
  2. Click on “SSH-2 RSA” at the bottom of the application
  3. Change “Number of bits in generated key:” to 2048PuttyGen SSH2 @ 2048bits
  4. Click “Generate”
  5. Move cursor aroundPuttyGen Key Generation
  6. Change comment to [email protected] eg: [email protected]
  7. Enter a password should you want to protect your private key (recommended)PuttyGen Private Key Settings
  8. Click on “Save private key” and save to a safe location

Note: Keep PuttyGen open to get the public key information

Implementing Public Key

  • Log onto server
  • Create a folder called “.ssh” under the username you wish to auto log in as (if it doesn’t already exist)

Note: authorized_keys spelt the American way

mdkir ~/.ssh
  • Create a file called “authorized_keys” under the .ssh folder
vi ~/.ssh/authorized_keys
  • Paste the contents of the public key into this folder
  • Change the write/readable only for that user
chmod 600 ~/.ssh/authorized_keys

Adding Private Key to Pageant

  • Open Pageant
  • Click on “Add Key”
  • Enter password (if applicable)Pageant Add Key
  • Click OKPageant Add Key
  • Click “Close”
  • A icon on the bottom right of your screen will appearPageant

Creating Putty Saved Session

  • Add IP address or DNS name into “Host Name (or IP address) field
  • Select SSH
  • Add name to “Saved Sessions” fieldPutty Session General
  • (Optional) Click on Connection
  • (Optional) Change “Seconds between keepalives” to 10Putty Keepalives
  • Click on Connection -> Data
  • Add the username you wish to auto login asPutty Auto Login
  • Click back on Session on the left hand side
  • Click Save
  • Double click on the saved sessionPutty Authentication

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Encryption of text in images using Steghide (Steganography)

stenography

The art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient could understand or view is called Steganography.

According to Wikipedia, the word steganography is of Greek origin and means “concealed writing” from the Greek word steganos meaning “covered or protected” and graphei, meaning “writing”.

Steghide  is  a steganography program that is able to hide data in various  kinds  of  image-  and  audio/files.  The color respectivly sample frequencies are not changed thus making the embedding resistant against first-order statistical tests.

Prerequisites

  • Steghide application
  • A .jpeg or .bmp file and a .txt file to hide within it

Steghide

Straight from the Steghide website “Steghide is a steganography program that is able to hide data in various kinds of image- and audio-files. The color- respectivly sample-frequencies are not changed thus making the embedding resistant against first-order statistical tests”.

Features

  • Compression of embedded data
  • Encryption of embedded data
  • Embedding of a checksum to verify the integrity of the extracted data
  • Support for Jpeg, Bmp, Wav and Au files

Current Distributions

  • Microsoft Windows
  • Linux

Encrypting Data

In my example I am going to use Microsoft Windows to hide some data in a text file called “secrettext.txt” in a file called “image.bmp” using Steghide version 0.5.1.

  1. Download Steghide
  2. Extract the application
  3. Copy the text and bmp file to the extracted location
  4. Drop to a command prompt
  5. Change to the directory the extracted application resides in
steghide.exe embed -ef secrettext.txt -cf image.bmp

Where

  • -ef = The text file you wish to encrypt
  • cf = The image file you wish to encrypt the data in

You will be prompted for a password to encrypt the data, this adds extra security to the encrypted image should only be shared with the intended audience.Steghide Embedding

Before encrypting the image it was 565,494 and after it was encrypted it is still 565,494. This makes it very hard to even detect that anything has been embedded within it.

You can also do this for audio files, the same process as above but use a Wav file.

Extracting Data

Extracting the data is much the same as embedding it however you will need the following:

  • Steghide Application
  • The image/audio file
  • The password
steghide.exe --extract -sf image.bmp -p password

Where

  • -sf = The image file
  • -p = The passwordSteghide Extracting

Documentation

The documentation for the application can be found here

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.