iCTF - UCSB International Capture The Flag

I was fortunate enough to be invited to join the QUT iCTF team. The objective of the contest is to ensure that a set of required services remain available and un-compromised. In preparation for this task, I decided to setup a dedicated laptop for the contest. I would have been far easier to install a distribution such as BackTrack, but I decided to take the painful path.

First, a friend sold me his old laptop, which was far better than my current notebook. It was a Sony VAIO SZ34GP. I installed CentOS 5.5 on this notebook, just a base install with development libraries and tools. The instructions below provide a brief list of tools and their associated configurations. 

Repositories
There's a need to set-up some additional repositories for CentOS to enable the installation of additional thir party applications. For more information refer to References 3Section.

1. sudo bash
2. cd /etc/yum.repos.d/
3. wget -q -O - http://www.atomicorp.com/installers/atomic |sh
4. wget http://dries.eu/pub/dries-el.repo
5. wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm
6. rpm -ivh rpmforge-release-0.5.1-1.el5.rf.i386.rpm
7. yum update

Installation

Install tools to be used for the competition. Most of the tools are penetration testing tools I have used in the past. I made a point of installing the development libraries and tools during the CentOS installation. This would be useful for developing and testing possible exploits.

1. sudo yum -y install nmap
2. sudo yum -y install amap
3. sudo yum -y install hydra
4. sudo yum -y install aide
5. sudo yum -y install snort
6. sudo yum -y install nikto
7. sudo yum -y install ntop
8. sudo yum -y install fail2ban
9. sudo yum -y install tcptrack
10. sudo yum -y install dsniff
11. sudo yum -y install ngrep
12. sudo yum -y install fragroute
13. sudo yum -y install hping
14. sudo yum -y install scapy
15. sudo yum -y install tcptraceroute
16. sudo yum -y install firewalk
17. sudo yum -y install iptraf
18. sudo yum -y install kismet
19. sudo yum -y install ettercap

ChaosReader

1. Download latest version from source forge (http://chaosreader.sourceforge.net)
2. sudo mkdir -p /opt/chaosreader
3. sudo cp chaoreader0.94 /opt/chaosreader/
4. sudo chmod 755 /opt/chaosreader/chaoreader0.94
5. sudo ln -s /opt/chaosreader/chaoreader0.94 /usr/local/bin/

John the Ripper

1. wget http://www.openwall.com/john/g/john-1.7.6.tar.gz
2. tar zxvf john-1.7.6.tar.gz
3. cd john-1.7.6
4. cd src
5. make
6.  clean linux-x86-any
7. sudo mv ../run /opt/john-1.7.6
8. sudo chown -R root:root opt/john-1.7.6
9. mv /opt/john-1.7.6/john.conf /opt/john-1.7.6/john.ini
10. sudo ln -s /opt/john-1.7.6/john /usr/local/sbin/
11. sudo ln -s /opt/john-1.7.6/john.ini /usr/local/sbin/

OpenVAS

1. sudo yum -y install openvas-server openvas-client openvas-scanner
2. sudo openvas-mkcert
3. sudo /usr/sbin/openvas-nvt-syn # Add as a cron job - refer to OpenVAS documentation
4. sudo /etc/rc.d/init.d/openvas-scanner restart
5. sudo /usr/sbin/openvas-adduser # Add rules "default accept" if unsure

Skipfish

1. wget http://skipfish.googlecode.com/files/skipfish-1.81b.tgz
2. tar zxvf skipfish-1.81b.tgz
3. sudo mv skipfish-1.81b /opt/
4. sudo ln -s /opt/skipfish-1.81b/skipfish /usr/local/sbin/
5. sudo ln -s /opt/skipfish-1.81b/sfscandiff /usr/local/sbin/
6. sudo chown -R root:root /opt/skipfish-1.81b

VMWare Server

1. Download the latest VMWare Server, at the time of this blog it was version 2.0.2
2. tar zxvf VMware-server-2.0.2-203138.i386.tar.gz
3. cd vmware-server-distrib
4. sudo ./vmware-install.pl

References:

1. http://ictf.cs.ucsb.edu/
2. http://rpmrepo.org/RPMforge
3. http://www.backtrack-linux.org/
4. http://wiki.centos.org/AdditionalResources/Repositories
5. http://www.openvas.org/
6. http://www.alienvault.com/free_nessus_feed.php
7. http://www.hacktoolrepository.com/

Installing Metasploit Framework on Ubuntu

Recently, I had to install Metasploit Framework on Ubuntu. I thought I would document the instructions here. Be sure to check the downloads page on the Metasploit website (http://www.metasploit.com) to get the current version. At the time of this blog the latest version was 3.5.0.

1. wget http://updates.metasploit.com/data/releases/framework-3.5.0.tar.bz2
2. bunzip2 framework-3.5.0.tar.bz2
3. tar xvf framework-3.5.0.tar
4. sudo cp -a msf3 /opt/msf3
5. sudo ln -sf /opt/msf3/msf* /usr/local/bin/
6. sudo svn update /opt/msf3/
7. sudo crontab -e -u root # Enter "1 * * * * /usr/bin/svn update  /opt/msf3/ >> /var/log/msf3update.log 2>&1"

 References:

1. http://www.metasploit.com/redmine/projects/framework/wiki/Install_Ubuntu
2. http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training

Fake ARP Daemon

The Fake ARP Daemon, or FARPD, provides the implementation of a fake ARP daemon for use with HoneyD. It responds to ARP requests for IP addresses modelled using HoneyD, to a specific interface MAC address. FARPD is required to set up HoneyD networks on the test bed. However it has been initially develop for the BSD platform, as a result installation on SysV systems needs a bit of work if compileing from a source tar ball.

1. wget http://farpd.sourcearchive.com/downloads/0.2-10/farpd 0.2.orig.tar.gz
2. wget http://farpd.sourcearchive.com/downloads/0.2-10/farpd 0.2-10.diff.gz
3. tar zxvf farpd 0.2.orig.tar.gz
4. gunzip farpd 0.2-10.diff.gz
5. cd farpd-0.2
6. patch -p1 ¡ ../farpd 0.2-10.diff
7. mkdir -p /usr/lib/bin
8. ln -s /usr/bin/dnet-config /usr/lib/bin/dnet-config
9. ln -s /usr/bin/dnet-config /usr/lib/bin/dumbnet-config
10. ./configure –with-libdumbnet=/usr/lib –with-libevent=/usr
11. ln -s /usr/include/dnet.h /usr/include/dumbnet.h
12. make
13. sudo make install

Actual unpublished research project can be found at http://eprints.qut.edu.au/39098/

Chinese Cheapness... me likey vely much

I finally decided to get a tablet. I already have a laptop for all my usual work requiring mobility, and have a dual screen workstation for heavy work at home. I could not justify spending a couple of hundred dollars on a gadget. Even though I would like to develop application for the Android platform, software emulators would do just as well for testing and deployment evaluation, but I got an Android tablet anyway... not one that is a high end, high quality and thus having a high price tag attached to it... I got a Chinese Cheapness... an Eken M0021 to be exact, off of eBay!

In all honesty, given the budget and the reviews, expectations were low. I was surprised when I got the box. Initially I thought I was shipped the incorrect model, as the box depicted an Eken M001 tablet and not the expected Eken M002. However once I opened the box, I discovered the correct unit inside. The packaging was slightly damaged, I suspected this may have happened during transit. The box contained an AC charging adapter, a small manual, which was promptly discarded back into the box, a small stylus and a 30 pin USB cable similar to the standard iPhone or iPod cable.

I pressed the power button, checked out settings, etc. to make sure the unit was working properly. Left the seller my feedback on eBay. I knew that the Android Market application was not installed. Fortunately I was prepared, and had downloaded the latest firmware previously2. Since the unit did not arrive with any SD card, I used an old 2GB card I had lying about. I flashed the firmware as per the instructions on the slatedroid.com site without any issues.

Screen
The unit is features a nice durable aluminium body. This gives it a nice feel. The 7" resistive touch screen provides 800x480 16:9 display and input. Since it's a resistive screen, this means no multi-touch. The bootup process seems to take a good minute or two one minute and thirty seconds. Probably because of the low 128MB RAM running at 800 Mhz and light weight VIA MW8505 CPU running at 533Mhz. The touch screen itself appeared very poor. It seems to be more sensitive in one corner and less on the other corner.

A close examination revealed that there is a slight ripples/buldge across the screen, as though a large screen was forced into a small case, instead of being completely smooth. The unit appeared to perform better to a human touch rather than prompting and provocation by the mechanical stylus.

Capacity
The internal storage is only appears to be only 1GB. As previously mentioned I am running the unit with a 2GB SD card, the product website seems to claim it can support up to 32GB. So will update the blog when I run out of space on the current card, which seems unlikely.

Battery
Since I'd already read the reviews, I wasn't expecting much in terms of runtime. Unlike the iPad which delivered between 10hrs to 12hrs runtime, the M002 would give you between 1hr to 2hrs depending on what you were running.


Ports
On the base of the unit you have several ports, one for the SD card, the 30pin USB port, 3.5mm head phone jack, the power adapter port and a small pin hole labelled MR, which I assumed meant master reset. Without hesitation a conveniently located paper clip was straightened and inserted, and the unit reset. Also the USB port seems to fit upside-down.

Networking
I've seen picture of adapter that plug into the 30pin USB port and provide an RJ45 connection. However the unit natively supports 802.11B and 802.11G, capable of working with WPA2. This is very simple to set up and worked without issues.


Camera
I didn't even bother checking the resolution. The image appears to be so low resolution it reminded me of the camera on my old Nokia 2760 phone. This is exactly what I had expected for the dollars spent. If you want HD just get an iPad.


Android Market
The main reason for the firmware upgrade was to get access to the Android Market. Since its a toy, all the useful applications were installed, i.e. Facebook, Dolphin Browser, anti virus (not sure why), WeatherBug, Blogaway, Touiteur, Kindle, RealCalc, eBay, Dropbox, mAnalytics, Speed Test, ConnectBot and Wifi Analyser, Ping, Pinger, AndroidVNC, Remote RDP Lite, SecurityInfo.com Net Audit.

Performance

• The resolution of the YouTube video play back does not seem the best, but gets the job done. 
• The Home screen keeps crashing so I get "Sorry! Activity Home (in process android.process.acore) is not responding", this is annoying to say the least. I installed Home++, things are much better now
• Using the USB port does not appear to charge the unit, so I need to have the AC plugged in to charge. 
• The orientation changing from landscape to portrait and visa-versa is not very response at time, am not sure if this a software issue with Android or hardware issue with the accelerometer.
• The Skype client does not support Skype over the Wifi link, so cannot make voice calls using Skype.

Issues

The battery runtime leaves a lot to be desired, but I knew this before I got the unit. Issues, the unit does tend to overheat to the extent that it's not comfortable holding it in the palm of your hand for prolonged periods of time. This overheating issue is the only one that I was not aware off. The bottom line is that I was prepared for, and knew what I was getting. For anyone considering a tablet for regular use for anything other than recreation, this unit is not for you, and you should probably wait for Google gPad.

When I have some more time, I will try to see if there is a better custom firmware and run that to see if it makes a difference.

References

1. http://www.ekengroup.com/en/products/show.asp?id=17
2. http://www.slatedroid.com/eken-m002-firmware-development/8279-[-piece-software-flashed-device-expand-its-functionality]-m002s-2-0-plus.html

Mildly Amusing

It's only mildly amusing but perhaps more of a disappointment what people are passing off as blogs these days.

Sure everyone has a right to their opinions and an equal right to express them on blogs, but the pretentious content expressed on some blogs is simply misleading and in my opinion an abuse of trust.

Blog readers vest a certain level of trust in bloggers to accurately represent their perception of the common truth. It's simply unbecoming when bloggers make up facts just to support their opinions and claims.

There should definitely some form of blog peer review to rank blogs for their content. Possible criteria proposed could be Factual, Opinion, Technical, etc. or TA for bloggers talking out of their bottoms.

So until some form of peer review, approval and/or ranking is implemented please file this one under Opinion or TA, whichever takes your fancy...


- Posted using BlogPress from my iPhone 3GS

MSOHTMED.EXE and MSOXMLED.EXE

When attempting to edit a HTML document, the Microsoft XML editor may be used. However occasionally this may not function correctly and result in high CPU usage by the MSOHTMED.EXE and MSOXMLED.EXE processes. Using Windows TaskManager to kill the processes may not work also.

To correct this change the HTML document editor specified in Internet Options.
Control Panel - Internet Option - Programs tab - HTML editor field

Reverting back to the original setting also work, but I prefer using Vim for Windows to edit my HTML documents anyway :)

"Spellling" in gVim

To enable spell check in gvim
:set spell spelllang=en_au


To correct highlighted word
z=


To disable spell check
:set nospell

if (Indians || Endians) {...

As part of my research project have been working on some network code in C++. Ran into a couple of issues, which were tracked down to incorrect endian orientation, i.e. big-endian vs. little-endian. While testing a couple of theories, came up with a demo app which may be useful to someone.

#include
#include

#include // printf
#include // atoi

using std::cout;
using std::endl;
using std::string;

/**
 * Declare an integer and check if the high order byte is used or not
 * If the high order byte is used then it's little endian based machine
 * else its using big endian. The function isBigEndian is
 * define as a macro for inline substitution at compile time.
 */
const int ENDIAN = 1;
#define isBigEndian() ((*(char*)&ENDIAN) == 0)

// function prototypes
int reverseInt( int );
void usage();
/**
 * main entry point into the endian demo application. The application accepts
 * an integer from the command-line arguments and displays it as an int, as a
 * hex value and then finally the raw bytes. If the machine is a little-endian
 * based processor then details of the int is also displayed.
 *
 * @param argc - int specifying the number of command line
 *               arguments
 * @param argv - char ** containing the actual command line
 *               arguments
 * @return int - 0 on success, else non-zero value
 */
int main( int argc, char **argv ) {
  // check command line arguments
  if ( argc != 2 ) {
    usage();
    return -1;
  }

  // parse and process command line arguments
  int x = atoi( argv[1] );                  // get the int
  unsigned char *ptr = (unsigned char *)&x; // byte array pointer to int

  int y = 0;                                // variable to hold the reverse int

  // display the int size
  cout << "sizeof(int) = " << sizeof(int) << endl << endl;

  // display info on the int
  printf("dec: %d\n", x);
  printf("hex: 0x%x\n", x);
  printf("bytes: ");
  for (int i=0; i < sizeof(int); i++) {
    printf("0x%x ", ptr[i] ); // using cout is too anoying for formatting!!
  }
  cout << endl;
  string str(( const char * ) ptr );
  cout << "str: " << str << endl;

  // determine endian orientation of machine
  if ( isBigEndian() ) {
    cout << "Big Endian Machine!!!" << endl;
  } else {
    cout << "Little Endian Machine!!!" << endl;
    y = reverseInt(x); // reverse the int

    printf("dec: %d\n", y);
    printf("hex: 0x%x\n", y);
    printf("bytes: ");
    ptr = (unsigned char *)&y;
    for (int i=0; i < sizeof(int); i++) {
      printf("0x%x ", ptr[i] ); // using cout is too anoying for formatting!!
    }
    cout << endl;
    str = (const char *)ptr;
    cout << "str: " << str << endl;
  }

  return 0;
}

/**
 * Should only be called on little endian processers. Reverses the int byte
 * order for little endian machines.
 *
 * @param iNum - int to reverse
 * @param int - the reversed int
 */
int reverseInt( int iNum ) {

  unsigned char *rev = new unsigned char[sizeof(int)];
  for ( int i = 0; i < sizeof(int); i++ ) {
    rev[i] = (iNum >> (8*i)) & 255;
  }

  int ret = 0;
  for ( int i = 0; i < sizeof(int); i++ ) {
    ret += (int)rev[i] << ((sizeof(int) - (i+1)) * 8);
  }

  return ret;
}

/**
 * usage displays the demo program usage information. The usage
 * information is output to stdout.
 */
void usage() {
  cout << "Usage: endian INT" << endl;
  cout << "Endian demo application to check and manipulate int for endian use";
  cout << endl << endl;
  cout << "  INT\t- int value";
  cout << endl << endl;

  cout << "Example:" << endl;
  cout << "  endian 65535" << endl;
}

Google yourself - Self-googling as a tool for privacy protection

Due to the growth of recent social networking web application such as Facebook, Twitter, etc. its not un-common to unknowingly disclose personal details into the public domain. The use of seach engines such as Google is a popular way to find out if you have increased the potential vulnerability of identity theft. 


Whilst "self‐googling, can be the theory of narcissism,"2 its also a good way to investigate personal, and related information about oneself. The consequences of having an unwanted Internet presence can be quite serious, not only from an information security perspective, but also from a social one. Once you have identified the appropriate information you need to remove them, this is the hard part. Google Webmaster tools provide several guidelines for this.


Digital presence create cyber footprint which are not always so easy to get rid off, and can follow the unsuspecting cyber citizen home!!! So perhaps Googling yourself every once in a while is a healthy thing and no so bad after all. 


References:

1. http://www.google.com/webmasters/tools/removals
2. http://www.citeulike.org/user/thiemehennis/article/6895338
3. http://www.stopcyberbullying.org/take_action/google_yourself.html
4. http://www.time.com/time/business/article/0,8599,1893965,00.html
5. http://www.wikihow.com/Ungoogle-Yourself

Failed to install "Security Update for .NET Framework 2.0 SP2 and 3.5 SP1 on Windows Server 2003 and Windows XP x86 (KB983583)"

Windows Update kept failing indicating it Failed to install "Security Update for .NET Framework 2.0 SP2 and 3.5 SP1 on Windows Server 2003 and Windows XP x86 (KB983583)"

After some Googling, and manually downloading and running the update, I managed to get the actual error message 1603 from the manual installer. Later I discovered that the generic error "1603" implies a "Fatal error during installation.".

The Microsoft KB seems to indicate that "These errors codes are usually caused by a corruption in the .NET Framework installation or by an inconsistency on the MSI database state.". In an attempt to resolve the issue as per the KB, I attempted to manually uninstall the .net framework, but this too failed.

I then downloaded the un-installer (Refer 3 below) and forced the uninstall. Installed the latest .net framework and updated. I had to reboot the machine after the first lot of updates, and attempted Windows Update again after the reboot. Uninstalling and re-installing the .net framework appears to have resolved the issue.

References:

1. http://www.microsoft.com/downloads/details.aspx?FamilyID=1e53f250-2d4b-4f61-86ee-9f9f3a9c0b48&displaylang=en
2. http://support.microsoft.com/kb/923100/
3. http://cid-27e6a35d1a492af7.skydrive.live.com/self.aspx/Blog_Tools/dotnetfx_cleanup_tool.zip

Australian Game Shops Online

Thought I'd share a list of game shop websites that I found using Google. It also saves me searching for it again.


http://www.alternateworlds.com.au/
http://www.gamesparadise.com.au/
http://www.goodgames.com.au/
http://www.milsims.com.au/catalog/
http://www.mindgamesmelbourne.com/
http://www.minotaur.com.au/
http://www.tactics.net.au/
http://www.tinsoldier.com/

Yum via a proxy

In case you need to force yum on a Redhat or CentOS system via proxy and authenticate, the quickest way I found was to set the following environment variable, i.e. export from .bash_profile or the likes;
export http_proxy=http://username:password@proxy_server:proxy_port

Cisco 827 Router - Unable to initialize flash device at FFE80000 -- device not found.

It seems that, if the ROMMON software is upgraded, then the older IOS causes the detection of the Flash memory to fail resulting in the error "Unable to initialize flash device at FFE80000 -- device not found." upon bootup. 


After Googling, several site's (e.g. http://www.velocityreviews.com/forums/t30077-cisco-827-flash-memory-and-ios.html) list the upgrade of the IOS as the solution. In hind-sight, to avoid this it may be a good idea to first upgrade the IOS to the latest version before attempting to upgrade the ROMMON.



System Bootstrap, Version xx.x(xx)xxx, RELEASE SOFTWARE (fc1)
Copyright (c) 2000 by cisco Systems, Inc.
C827 platform with 32768 Kbytes of main memory





Unable to initialize flash device at FFE80000 -- device not found.
CISCO C827 (MPC855T) processor (revision 0x801) with 31744K/1024K bytes of memory.
Processor board ID JAD06430E2L (2370919839), with hardware revision FD3C
CPU rev number 5
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.





Router>sh ver

Cisco Internetwork Operating System Software
IOS (tm) C827-4V Software (C827V- xx-x), Version xx.x(x)xx, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Mon 10-Apr-00 13:45 by phanguye
Image text-base: 0x80013170, data-base: 0x8067D780


ROM: System Bootstrap, Version xx.x(xx)xxx, RELEASE SOFTWARE (fc1)




Router#show file systems
File Systems:


     Size(b)     Free(b)      Type  Flags  Prefixes
      131072      130366     nvram     rw   nvram:
           -           -    opaque     rw   null:
           -           -    opaque     rw   system:
           -           -   unknown     wo   rommon:
           -           -   network     rw   tftp:
           -           -    opaque     ro   xmodem:
           -           -    opaque     ro   ymodem:
           -           -   network     rw   rcp:
           -           -   network     rw   ftp:

To resolve the issue a newer version of the IOS needs to be installed on the router. This becomes as issue as the "flash:" is not detected. The IOS needs to be installed over the serial interface using the XMODEM commands. Boot to the ROMMON prompt, i.e. reload the router and hit the break sequence.

Depending on the size of the image, this may take a while. Also depening on the router, the ROMMON version, you may be able to configure the xmodem speeds, etc. I used Windows Hyperterminal (hypertrm) for this. Once it's done, set the confreg back (0x2102), if you changed it, and reset the router. Should all be good now.

References:

1. http://www.cisco.com/en/US/products/hw/routers/ps259/products_tech_note09186a008015bfac.shtml
2. http://www.cisco.com/en/US/docs/routers/access/800/806/software/configuration/notes/820rommon.html

Scapy on Ubuntu

I won't introduce Scapy as there are lots of overview, introductions, tutorials and guides available on Scapy, so just Google for it. I though I'd blog about my install on Ubuntu just in case I need to come back to it at some stage and cannot recall exactly what and how I installed;

1. sudo apt-get update
2. sudo apt-get install tcpdump 
3. sudo apt-get install python
4. sudo apt-get install python-scapy
5. sudo apt-get install graphviz 
6. sudo apt-get install imagemagick 
7. sudo apt-get install python-gnuplot 
8. sudo apt-get install python-crypto
9. sudo apt-get install python-pyx

I may be putting up some scapy script on my webpage in the near future in case anyone is interested. I used scapy for Digital Forensics

Toshiba Recovery Wizard

In case you ever need to perform a recovery on a Toshiba, (obviously after the necessary backups, ensure running on mains power, etc)

1. Turn off laptop.
2. Press and hold "0" (zero) key.
3. Power on laptop.
4. Once the Toshiba splash screen appears, release the "0" (zero) key.
5. Follow the Toshiba Recovery Wizard prompts.

Urbanspoon - Curryville

Took a chance on Urbanspoon and headed to Cilliville for some curry as it was Friday "arvo" and Deb and I were both tired. Read some initial reviews and were a bit cautious.

The Vege Samosas were very authentic. Home made pastery and the fillings were just like right. I got the special "Indian Hot" Vege curry and they weren't kidding around. I had that with rice and then stole some garlic naan from Deb.

They did not over do the decorations either. It has just the right amount of clutter in the right places. Background music was not deafening, but the traffic noise was pissing me off a bit. Overall it was a good feed.


- Posted using BlogPress from my iPhone 3GS

Website Changes

Minor website changes to www.kush.com.fj. Replaced original splash image with new one made using new Hindi script. Also created splash image for Resume page using previous and current business cards. Let me know what you think as well as any more ideas or recommendations for improvements...

Ubuntu 9.10 does not boot up after hibernate!!!

I've been running Ubuntu 9.10 desktp on my HP nx6120 notebook with some success for a little while now. It performs well for my TeX work, occasional web-browsing, VPN, RDP and e-mails. The GUI is enhanced using Mac4Lin. I loved the hibernate feature until late this afternoon when it refused to bootup after hibernating. I would get the splash screen and then nothing... curses!!!.

I managed to find a work-around but am still not sure what the problem was:

1. Boot up the machine with a rescue CDROM
2. Confirm the root partition for the Ubuntu install (in my case it was /dev/sda8, although I only have IDE drives)
3. Boot up the machine and wait for the GRUB prompt
4. Press "e" to edit the entry
5. Replace the "root=UUID..." with "root=/dev/..." on the "linux" line entry
6. Add the entry "no_console_suspend" on the same line
7. Press the "Tab" key to complete the Emacs edit
8. Press "Ctrl+x" to continue booting

Once the machine has bootup as normal, edit the GRUB configuration

1. sudo vi /etc/default/grub 
1. Edit the file to uncomment GRUB_DISABLE_LINUX_UUID
2. Edit the file to add no_console_suspend in the GRUB_CMDLINE_LINUX
3. Save the file and exit
2. sudo /usr/sbin/update-grub

References

• http://computergyan.wordpress.com/tag/ubuntu/
• http://lovehateubuntu.blogspot.com/2009/08/ubuntus-hibernate-wont-wake-up.html

Snort sniff honk !

Snort is an open source intrusion detection system (IDS). Its highly configurable and can be run in a number of modes and architectures, There are a small number of freely available rules to use. For more information refer to the Snort home page http://www.snort.org/. Here are some instructions on getting it setup on CentOS, these were adapted from the Snort Documentation by Patrick Harper at http://assets.sourcefire.com/snort/setupguides/Snort_Base_Minimal.pdf;

1. yum install mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++ php php-pear libpcap-devel
2. vi /etc/httpd/conf/httpd.conf #Edit the httpd.conf file to suit
3. /etc/rc.d/init.d/httpd start
4. /etc/rc.d/init.d/mysqld restart
5. /usr/bin/mysql_secure_installation
6. cd /root
7. mkdir snortinstall
8. cd snortinstall
9. wget http://dl.snort.org/snort-current/snort-2.8.5.3.tar.gz
10. tar zxvf snort-2.8.5.3.tar.gz
11. cd snort-2.8.5.3
12. ./configure --with-mysql --enable-dynamicplugin # Fingers crossed it all goes well
13. make
14. make install
15. /usr/sbin/groupadd snort
16. /usr/sbin/useradd -g snort snort -s /sbin/nologin
17. mkdir -p /etc/snort/rules
18. mkdir -p /var/log/snort
19. cd /root/snortinstall/snort-2.8.5.3/etc
20. cp ./* /etc/snort/
21. cd /root/snortinstall
22. wget http://www.emergingthreats.net/rules/emerging.rules.tar.gz
23. tar zxvf emerging.rules.tar.gz
24. cd rules
25. cp ./* /etc/snort/rules/
26. vi /etc/snort/snort.conf # Edit the snort.conf file to suit
27. /etc/rc.d/init.d/mysqld start
28. mysql -u root -p mysql # Create the snort database and snort database user and set permissions
    
29. cd  /root/snortinstall/snort-2.8.5.3/schemas
30. mysql -u snort -p snort < create_mysql
31. pear install -a Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
32. cd /root/snortinstall/
33. wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-510-for-php5/adodb510.tgz?use_mirror=transact
34. wget http://downloads.sourceforge.net/project/secureideas/BASE/base-1.4.4/base-1.4.4.tar.gz?use_mirror=transact
35. cd /var/www
36. tar zxvf /root/snortinstall/adodb510.tgz
37. mv adodb5/ adbodb
38. cd /var/www/html/
39. tar zxvf /root/snortinstall/base-1.4.4.tar.gz
40. mv base-1.4.4/ base
41. cd base
42. cp base_conf.php.dist base_conf.php
43. vi base_conf.php # Edit the file to suit
44. # Load http://SERVERNAME/base in a browser and click on the setup link
45. # Click on Create BASE AG button
46. # Click on the Main Page link

SQL

1. create database snort;
2. create user 'snort'@'localhost' identified by '';
3. grant create, insert, select, delete, update on snort.* to snort@localhost;
4. grant create, insert, select, delete, update on snort.* to snort;

Timing is everything...

Having the correct clock timestamp is very important for logging, maintenance, troubleshooting and even forensic analysis. Timing provides a very important frame of reference for network devices, such as hosts, routers and switches. It would be almost impossible to construct a reliable model of an environment without having a standard and accurate frame of reference, thus timing is everything...

The Hardening Cisco Routers book provides a good reference for Network Time Protocol (NTP) important, and can be found at http://oreilly.com/catalog/hardcisco/chapter/ch10.html. NTP is a very popular way to synchornise system clocks with a central trusted server. Here's a rough guide to getting NTP running on a Linux server;

1. sudo yum install ntp # Install the NTP client
2. sudo vi /etc/ntp.conf # Edit the configuration file to use the nearest server pool. Refer to www.ntp.org to get the pools.
3. sudo mv /etc/localtime /etc/localtime~ # Backup the locatime file
4. sudo ln -s /usr/share/zoneinfo// /etc/localtime # Ensure that the correct locatime file is set for your city
5. sudo ntpdate # Set the date using NTP using the pool specified*
6. sudo /etc/rc.d/init.d/ntp start # Start the NTP client daemon
7. ntpstat # Check that the system clock is synchronised
8. date # Check that the system date is set correctly
9. sudo hwclock -w # Set the hardware clock to the system date

*Note: Ensure that the host allows traffic on port 123 for the NTP protocol to work.

Linux Jump Box VPN

With the Linux Desktop out of the way, and my impending studies in Network Security coming up, I thought I'd preempt the studies with some initial ground work on my old Linux Server. Previously we had an old server at home, that was used mostly as a web proxy (Squid) and Windows (Samba) server to share files and the home printer.

Well, it was time for a change and I decided to rebuilt it into a bastion jump box, with a restructure of the home network as well. I started off by installing a second Network Interface Card (NIC) on it. Then installed a bare CentOS on it. I did a yum update on it to ensure the latest patches and stable packages we installed. Next went through the services and disabled all the unnecessary stuff.

The idea is to separate the internal network from the De-militarized Zone (DMZ). The purpose of the jump box is to sit on the DMZ between the access and choke routers. The jump box will provide Virtual Private Network (VPN) access into the network, as well as providing proxy services such as web proxy, syslog, ssh  and other services.

In the network, both the access and choke router perform Network Address Translation (NAT), Quality of Serverice (QoS), as well as stateful packet inspection (SPI) firewall functions. In addition to SPI, the choke also performs some port forwards to the jump box and the sip phone. All other traffic is dropped.

So to get home from university, I need to VPN in, then use SCP to transfer my files (assignments, reports, etc) and get out again.

To install OpenVPN, perform the following tasks;

1. sudo wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
2. sudo yum --enablerepo=kbs-CentOS-Testing install openvpn
3. sudo find / -name "easy-rsa" # returns something like "/usr/share/openvpn/easy-rsa/"
4. sudo cp -R /usr/share/openvpn/easy-rsa /etc/openvpn/
5. sudo cd /etc/openvpn/easy-rsa/2.0/
6. sudo mkdir keys
7. sudo vi ./vars
8. Change the following variables
1. export KEY_SIZE=2048
2. export KEY_COUNTRY=""
3. export KEY_PROVINCE=""
4. export KEY_CITY=""
5. export KEY_ORG=""
6. export KEY_EMAIL=""
9. sudo bash
10. source ./vars
11. ./clean-all
12. ./build-ca
13. ./build-key-server server #server is the unique name to identify the server
14. ./build-key client #client is the unique name to identify the client (repeat for each client)
15. ./build-dh
16. find / -name "server.conf" # returns something like "/usr/share/doc/openvpn-2.1/sample-config-files/server.conf"
17. cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn
18. Edit the file to suit
19. Copy the Diffie-Hellman pem file (dh2048.pen), the server key file (server.key), and the CA certificate file (ca.crt) to the working directory and start the OpenVPN server (/etc/rc.d/init.d/openvpn start).