Diciembre 11

Lynis – Un soft sympa pour auditer son système

linys-1

Plop les bovins,

Tout d’abord je tiens à m’excuser pour ne pas avoir fichu grand chose aujourd’hui, mais Ubuntu Gnome 13.04 étant officiellement dans la nature, je me devais de me refaire un petit labs tout frais tout neuf pour les six prochains mois! Séance réinstall obligatoire, suivie d’un Mc DO pour retaper la bête!

Ceci étant dit je reprends la plume et j’inaugure cette session toute neuve, pour vous parler d’un petit outil d’audit sympathique qui répond au doux nom de Lynis. Vous allez voir, c’est assez énorme.

Lynis est un petit soft qui s’utilise en ligne de commande, mais rassurez-vous, il ne nécessite pas de connaissances spécifiques pour être utilisé. Là où quelques connaissances ne vous seront pas inutiles en revanche, c’est dans l’analyse des résultats que va vous renvoyer la bête après l’audit de votre système.

Comme vous l’avez peut-être compris Lynis n’est pas à proprement parler un outil de pentest (ce à quoi l’on pourrait s’attendre quand on parle d’audit).

Il a pour but de vérifier via un scan, quasiment tous les paramètres de votre système avant de vous faire une synthèse complète et de vous afficher des suggestions qui vont vous permettre d’agir sur les points faibles de celui-ci.

Il va analyser tout un tas de paramètres concernant entre-autres :

  • Les chargeurs et services de démarrage
  • La configuration du noyau, les modules chargés, ceux en cours d’exécution
  • La mémoire et les processus
  • Les utilisateurs et les groupes
  • Les points de montage et le système de fichiers racine
  • Les services NFS et BIND
  • Les mises à jour et les référentiels de vos logiciels
  • Les règles Iptables et la configurations SELinux
  • Les serveurs Web Apache et nginx
  • La configurations SSH
  • Le mot de passe root, MySQL et les services LDAP
  • Les options PHP
  • Les options crontab / cron et ATD
  • Le démon NTP
  • L’expiration du certificat SSL
  • La présence de malwares
  • Les répertoires personnels

Et il fait le kawa. Ah non, pas ça désolé (dans une prochaine maj peut-être).

Quoi qu’il en soit la liste des vérifications effectuées par Lynis est vraiment impressionnante.

Si ça vous branche, vous serez ravi d’apprendre que la bête est disponible par défaut dans les dépôts Debian et Ubuntu. Pour l’installer sur Ubuntu 13.04 par exemple, il suffit d’entrer simplement la commande suivante.

sudo apt-get install lynis

Une fois que la bête est présente sur votre machine, vous pouvez la lancer en entrant ceci dans votre terminal :

sudo lynis -c

ou

sudo lynis --check-all

Vous devriez ensuite arriver sur un fenêtre d’accueil qui ressemble à ça (cliquez pour agrandir) :

linys-1

À ce stade vous n’avez déjà plus rien à faire d’autre que d’enchaîner les tests à l’aide de la touche « Enter ». Patientez à chaque fois le temps que ceux-ci puissent s’exécuter correctement, certains tests prendront plus de temps que d’autres.

Je vous ai fait une petite galerie qui va vous montrer en image les différents tests :

lynis-2

lynis-3

linys-4

linys-5

Une fois que l’audit est achevé vous pouvez au choix, consulter les suggestions depuis le terminal.

lynis-suggest

Ou consulter le fichier « Lynis.log », qui en toute logique devrait se trouver dans /var/log/.

À vous ensuite d’en tirer les bonnes conclusions et de changer ce qui ne vas pas sur votre système 🙂

lynis-log

NB : Vous pouvez lancer Lynis de manière à ce que ce dernier ne vous demande pas de confirmation entre chaque test, en utilisant la commande suivante :

sudo lynis -c -Q

J’ai vraiment trouvé ce petit soft pas mal du tout.

Bien entendu tout n’y est pas et il y aura certainement pas mal d’autres tests à faire pour un audit complet, mais Lynis constitue un bon point de départ.

Je ne l’ai pas signalé car ce sont des paquets non officiels, mais il existe des packages RPMpour pouvoir utiliser Lynis sous Fedora ou openSUSE.

Amusez-vous bien.

Category: TOOLS | Los comentarios están deshabilitados en Lynis – Un soft sympa pour auditer son système
Diciembre 11

WGET

wget utility is the best option to download files from internet. wget can pretty much handle all complex download situations including large file downloads, recursive downloads, non-interactive downloads, multiple file downloads etc.,

In this article let us review how to use wgetfor various download scenarios using 15 awesome wget examples.

 

1. Download Single File with wget

The following example downloads a single file from internet and stores in the current directory.

$ wget http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2

While downloading it will show a progress bar with the following information:

  • %age of download completion (for e.g. 31% as shown below)
  • Total amount of bytes downloaded so far (for e.g. 1,213,592 bytes as shown below)
  • Current download speed (for e.g. 68.2K/s as shown below)
  • Remaining time to download (for e.g. eta 34 seconds as shown below)

Download in progress:

$ wget http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2
Saving to: `strx25-0.9.2.1.tar.bz2.1'

31% [=================> 1,213,592   68.2K/s  eta 34s

Download completed:

$ wget http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2
Saving to: `strx25-0.9.2.1.tar.bz2'

100%[======================>] 3,852,374   76.8K/s   in 55s    

2009-09-25 11:15:30 (68.7 KB/s) - `strx25-0.9.2.1.tar.bz2' saved [3852374/3852374]

2. Download and Store With a Different File name Using wget -O

By default wget will pick the filename from the last word after last forward slash, which may not be appropriate always.

Wrong: Following example will download and store the file with name: download_script.php?src_id=7701

$ wget http://www.vim.org/scripts/download_script.php?src_id=7701

Even though the downloaded file is in zip format, it will get stored in the file as shown below.

$ ls
download_script.php?src_id=7701

Correct: To correct this issue, we can specify the output file name using the -O option as:

$ wget -O taglist.zip http://www.vim.org/scripts/download_script.php?src_id=7701

3. Specify Download Speed / Download Rate Using wget –limit-rate

While executing the wget, by default it will try to occupy full possible bandwidth. This might not be acceptable when you are downloading huge files on production servers. So, to avoid that we can limit the download speed using the –limit-rate as shown below.

In the following example, the download speed is limited to 200k

$ wget --limit-rate=200k http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2

4. Continue the Incomplete Download Using wget -c

Restart a download which got stopped in the middle using wget -c option as shown below.

$ wget -c http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2

This is very helpful when you have initiated a very big file download which got interrupted in the middle. Instead of starting the whole download again, you can start the download from where it got interrupted using option -c

Note: If a download is stopped in middle, when you restart the download again without the option -c, wget will append .1 to the filename automatically as a file with the previous name already exist. If a file with .1 already exist, it will download the file with .2 at the end.

5. Download in the Background Using wget -b

For a huge download, put the download in background using wget option -b as shown below.

$ wget -b http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2
Continuing in background, pid 1984.
Output will be written to `wget-log'.

It will initiate the download and gives back the shell prompt to you. You can always check the status of the download using tail -f as shown below.

$ tail -f wget-log
Saving to: `strx25-0.9.2.1.tar.bz2.4'

     0K .......... .......... .......... .......... ..........  1% 65.5K 57s
    50K .......... .......... .......... .......... ..........  2% 85.9K 49s
   100K .......... .......... .......... .......... ..........  3% 83.3K 47s
   150K .......... .......... .......... .......... ..........  5% 86.6K 45s
   200K .......... .......... .......... .......... ..........  6% 33.9K 56s
   250K .......... .......... .......... .......... ..........  7%  182M 46s
   300K .......... .......... .......... .......... ..........  9% 57.9K 47s

Also, make sure to review our previous multitail article on how to use tail command effectively to view multiple files.

6. Mask User Agent and Display wget like Browser Using wget –user-agent

Some websites can disallow you to download its page by identifying that the user agent is not a browser. So you can mask the user agent by using –user-agent options and show wget like a browser as shown below.

$ wget --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092416 Firefox/3.0.3" URL-TO-DOWNLOAD

7. Test Download URL Using wget –spider

When you are going to do scheduled download, you should check whether download will happen fine or not at scheduled time. To do so, copy the line exactly from the schedule, and then add –spider option to check.

$ wget --spider DOWNLOAD-URL

If the URL given is correct, it will say

$ wget --spider download-url
Spider mode enabled. Check if remote file exists.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
<strong>Remote file exists</strong> and could contain further links,
but recursion is disabled -- not retrieving.

This ensures that the downloading will get success at the scheduled time. But when you had give a wrong URL, you will get the following error.

$ wget --spider download-url
Spider mode enabled. Check if remote file exists.
HTTP request sent, awaiting response... 404 Not Found
<strong>Remote file does not exist -- broken link!!!</strong>

You can use the spider option under following scenarios:

  • Check before scheduling a download.
  • Monitoring whether a website is available or not at certain intervals.
  • Check a list of pages from your bookmark, and find out which pages are still exists.

8. Increase Total Number of Retry Attempts Using wget –tries

If the internet connection has problem, and if the download file is large there is a chance of failures in the download. By default wget retries 20 times to make the download successful.

If needed, you can increase retry attempts using –tries option as shown below.

$ wget --tries=75 DOWNLOAD-URL

9. Download Multiple Files / URLs Using Wget -i

First, store all the download files or URLs in a text file as:

$ cat > download-file-list.txt
URL1
URL2
URL3
URL4

Next, give the download-file-list.txt as argument to wget using -i option as shown below.

$ wget -i download-file-list.txt

10. Download a Full Website Using wget –mirror

Following is the command line which you want to execute when you want to download a full website and made available for local viewing.

$ wget --mirror -p --convert-links -P ./LOCAL-DIR WEBSITE-URL
  • –mirror : turn on options suitable for mirroring.
  • -p : download all files that are necessary to properly display a given HTML page.
  • –convert-links : after the download, convert the links in document for local viewing.
  • -P ./LOCAL-DIR : save all the files and directories to the specified directory.

11. Reject Certain File Types while Downloading Using wget –reject

You have found a website which is useful, but don’t want to download the images you can specify the following.

$ wget --reject=gif WEBSITE-TO-BE-DOWNLOADED

12. Log messages to a log file instead of stderr Using wget -o

When you wanted the log to be redirected to a log file instead of the terminal.

$ wget -o download.log DOWNLOAD-URL

13. Quit Downloading When it Exceeds Certain Size Using wget -Q

When you want to stop download when it crosses 5 MB you can use the following wget command line.

$ wget -Q5m -i FILE-WHICH-HAS-URLS

Note: This quota will not get effect when you do a download a single URL. That is irrespective of the quota size everything will get downloaded when you specify a single file. This quota is applicable only for recursive downloads.

14. Download Only Certain File Types Using wget -r -A

You can use this under following situations:

  • Download all images from a website
  • Download all videos from a website
  • Download all PDF files from a website
$ wget -r -A.pdf http://url-to-webpage-with-pdfs/

15. FTP Download With wget

You can use wget to perform FTP download as shown below.

Anonymous FTP download using Wget

$ wget ftp-url

FTP download using wget with username and password authentication.

$ wget --ftp-user=USERNAME --ftp-password=PASSWORD DOWNLOAD-URL

If you liked this article, please bookmark it with delicious or Stumble.

Category: TOOLS | Los comentarios están deshabilitados en WGET
Diciembre 10

Site-to-Site IPSEC VPN Between Cisco ASA and pfSense

IPSEC is a standardized protocol (IETF standard) which means that it is supported by many different vendors. Therefore if you want to create a VPN between different vendor devices, then IPSEC VPN is the way to go.

In this article we will see a site-to-site VPN using the IPSEC protocol between a Cisco ASAand a pfSense firewall. PfSense is an open source distribution of FreeBSD customized for use as a firewall and router. You can install pfSense on a PC with two (or more) NICs, essentially turning it into a flexible security appliance. You can obtain your copy of pfSense from the Downloads section of www.pfsense.org. At the time of this writing, the latest available release is 2.0.2 and the same has been used in this tutorial.

In this article, we will focus on site-to-site IPsec implementation between a Cisco ASA and a pfSense firewall, as shown in Figure 1 below.

Figure 1  Cisco ASA to pfSense IPsec Implementation (Click for Larger Picture)

IPsec - ASA to pfSense

We will start with a preconfiguration checklist that will serve as a reference for configuration of IPSEC on both devices. ISAKMP/Phase 1 attributes are used to authenticate and create a secure tunnel over which IPsec/Phase 2 parameters are negotiated.

Table 1   Preconfiguration Checklist: ISAKMP/Phase-1 Attributes

Attribute Value
Encryption AES 128-bit
Hashing SHA-1
Authentication method Preshared keys
DH group Group 2 1024-bit field
Lifetime 86,400 seconds

We will use main mode rather than aggressive mode for negotiation. IPsec Phase 2 attributes are used to encrypt and decrypt the actual data traffic.

  Table 2   Preconfiguration Checklist: IPsec/Phase-2 Attributes

Attribute Value
Encryption AES 128-bit
Hashing SHA-1
Lifetime 28,800 seconds4,608,000 kB
Mode Tunnel
PFS group None

Now that we have determined what Phase 1 and Phase 2 attributes to use, we’re ready to configure IPsec. We assume that all IP addresses are already configured and basic connectivity exists between Cisco ASA and pfSense firewall.

ASA Configuration

Let’s start with configuring the ASA (Using ASA 8.4(2) in this example):

! IPsec ISAKMP Phase 1

crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
exit
!
crypto ikev1 enable outside

tunnel-group 173.199.183.2 type ipsec-l2l
tunnel-group 173.199.183.2 ipsec-attributes
ikev1 pre-shared-key Cisc0

! IPsec Phase 2

crypto ipsec ikev1 transform-set pfSense-AES128SHA esp-aes esp-sha-hmac
!
access-list outside_cryptomap_10 remark ACL to encrypt traffic from ASA to pfSense
access-list outside_cryptomap_10 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
!
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 173.199.183.2
crypto map outside_map 10 set ikev1 transform-set pfSense-AES128SHA
crypto map outside_map interface outside

PfSense Configuration

We open the URL http://173.199.183.2 in a Web browser to access the pfSense firewall and enter the default username/password of admin/pfsense. You may have noticed that 173.199.183.2 is the WAN IP address of the pfSense firewall that indicates we are accessing it from the Internet.

pfSense Login

(click for larger picture)

After successfully logging in you reach the Status page which reports the summary state of your pfSense firewall. Go to VPN > IPsec using the menu and click add phase1 entry on theTunnels tab. Configure ISAKMP/Phase 1 parameters as given in Table 1 and shown in the following screenshot.

pfSense ipsec Phase1

(click for larger picture)

Click the Save button to save the configuration and go back to the Tunnels tab. Click add phase 2 entry to configure IPsec/Phase 2 parameters as given in Table 2 and shown in the following screenshot.

pfSense ipsec Phase2

(click for larger picture)

Click the Save button to save changes and go back to the Tunnels tab where you can view a summary of your Phase 1 and Phase 2 configuration. Check the Enable IPsec checkbox and press the Save button. In the end, press the Apply changes button to finalize your configuration, as shown in the following screenshot.

VPN IPsec

  (click for larger picture)

Our IPsec configuration is now complete on both devices. We can generate some traffic from a host in subnet 192.168.1.0/24 connected to Cisco ASA to a host in subnet 10.0.0.2/24 connected to pfSense, using the ping utility. If ping is successful between the two subnets, an IPsec tunnel is likely to have established successfully. The same can be verified using command show crypto ipsec stats on Cisco ASA.

In order to check IPsec tunnel status on the pfSense firewall, go to Status > IPsec. If you see a tiny green icon in the Status column, IPsec tunnel is successfully established as shown in the following screenshot.

Category: CISCO, VPN IPSEC | Los comentarios están deshabilitados en Site-to-Site IPSEC VPN Between Cisco ASA and pfSense
Diciembre 10

Setting up cluster synchronization with csync2

Having to synchronize some data among a Debian linux cluster, i settled on using csync2 for the job.
Here’s a short guide to set it up.

We are assuming two machines here, 01.cluster and 02.cluster. The 01.cluster is gonna be our “master” in this setup.

First on both machines install csync2 by executing:

apt-get install csync2

On each node we now need to generate a certificate for csync2 to communicate. We do it by the following commands, When asked to set a challenge password leave it empty, and leave the common name empty.:

openssl genrsa -out /etc/csync2_ssl_key.pem 1024
openssl req -new -key /etc/csync2_ssl_key.pem -out /etc/csync2_ssl_cert.csr
openssl x509 -req -days 600 -in /etc/csync2_ssl_cert.csr -signkey /etc/csync2_ssl_key.pem -out /etc/csync2_ssl_cert.pem

On the master we need to generate a preshared key for the nodes to communicate with:

csync2 -k /etc/csync2_ssl_cert.key

Note: You might experience a somewhat hang on the command, this is because the /dev/random pool isn’t filling up fast enough. To remedy this open a secondary connection to the server, and jab a bit around. Look in files, download some big file whatever makes the /dev/random entropy fill up

Now we need to set up the configuration file on the master, which is in /etc/csync2.cfg.

# Csync2 configuration example
group cluster
{
	host 01.cluster;
	host (02.cluster); # Slave host

	key /etc/csync2_ssl_cert.key;

	include /var/www;
	exclude /var/www/sessions;

	auto none;
}

Note: the hostname of all the machines needs to match the output of the hostname command.
The parentheses around 02.cluster is to make the synchronization only work in one direction. Now we need to copy the csync.cfg and the csync2_ssl_cert.key to the slave server(s).

After all this do a /etc/init.d/openbsd-inetd restart on all machines.
And run csync -x on the master to synchronize data on the slaves. Note data on the slave(s) WILL be overwritten/deleted

A logical step now would be to run csync –x from within a cron job. Which i will leave for a later post.

Troubleshooting

If lsyncd doesn’t want to start, then check in the log file. In our case the log file is /var/log/lsyncd.log
If you encounter a last line like:
Tue Oct 30 18:59:40 2012 Error: Terminating since out of inotify watches.
Tue Oct 30 18:59:40 2012 Error: Consider increasing /proc/sys/fs/inotify/max_user_watches

Then do one of the followings:

To change immediately the limit, run:
# echo 32768 > /proc/sys/fs/inotify/max_user_watches

To make the change permanent, edit the file /etc/sysctl.conf and add this line to the end of the file:
fs.inotify.max_user_watches=32768

After a crash of the start you should delete the lock file as follows:
rm /var/lock/lsyncd

To check if it runs, run the command:
root@ado:~# ps ax | grep lsyncd
12635 ? Ss 0:00 /usr/local/bin/lsyncd /etc/lsyncd.conf
12647 pts/2 S+ 0:00 grep lsyncd

First Synchronize with Csync2 Manually

Before setup cron job for handling Csync2 periodically, let’s trial manually at dev6c1:

csync2 -xv

If you get any error message you may try will following commands, too:

csync2 -xvvv
csync2 -TI

Else it should already works as expected.

Periodically Synchronize with Csync2

Now setup cron jobs with “crontab -e” as below:

*/1 * * * * csync2 -x >/dev/null 2>&1

Once save Csync2 will run once per 1 minute, check, synchronize and restart your service if required automatically.

Category: STORAGE, SYNC, SYNC | Los comentarios están deshabilitados en Setting up cluster synchronization with csync2