Administering Servers with Webmin

I've been trying Webmin on FreeBSD, Solaris 8, and HP-UX 11i today. Once I repatriate my AIX box from my employer, I intend to install Webmin on it as well. For FreeBSD, I installed the package provided by the FreeBSD project. For Solaris, I used the package provided by Webmin. For HP-UX, I downloaded the tarball and installed from source. I tried the version packaged by HP with their port of Apache and Tomcat, but couldn't get it to install on its own. Webmin uses its own "miniserv.pl" so Apache is not needed. Webmin is a Web-based, cross-platform...

Read More

Security 101 Book

Today I was asked for my recommendation for a "security 101" book. I hadn't given the subject much thought, although I think Ed Skoudis' Counter-Hack is a great place to start. I looked around my office and found a book Addison-Wesley sent me last year: Internet Site Security by Erik Schetina, Ken Green, Jacob Carlson. After thumbing through the book, I've decided it's excellent. I won't review it on Amazon.com, since my policy is to only review...

Read More

Using Sysmon to Detect Faulty Hardware

No sooner had I posted the entry on Sysmon than it detected a network problem. Two of my systems were unreachable. They both sat of a DMZ leg of my gateway. After troubleshooting at various layers I narrowed the issue down to a faulty NIC in the gateway. How often does that happen? Unfortunately the bad NIC is a Intel PRO/100+ Dual Port Server Adapter (PILA8472). When trying to ping out from the NIC to the DMZ, here's the sort of traffic the NIC generated: 00:39:18.628691 192.168.60.1 > 192.168.60.3: icmp: echo request00:39:19.638731 0:0:0:0:0:0...

Read More

FreeBSD on Laptops

I thought the best I could do for help running FreeBSD on laptops was Linux on Laptops, until I learned of the FreeBSD Laptop Compatibility List. This site even had an entry for my Thinkpad a20p. There's an article at Freebsd.org and another database of information also available.I've had various versions of FreeBSD running on this laptop since I tried installing FreeBSD 4.1.1. I plan to install FreeBSD 5.2 REL once issues in the todo list are...

Read More

Understanding Snort DNS TTL Alerts

While reading a recent Network Computing magazine article, I noticed an interesting discussion of "DNS-based route optimizers." These sounded like the products which confused IDS operators four years ago. I read about it in an earlier NWC article.This December 2003 article states:"Handling external Web requests... is accomplished by advertising a low DNS TTL of about 10 seconds. This forces the end user's DNS server to request an updated IP address...

Read More

Ways to Install FreeBSD

While perusing the newgroups at unix.derkeiler.com, I learned a new way to get FreeBSD. The FreeBSD Project publishes .iso images of its release software, like 4.9 REL or 5.1 REL. Easy enough. Mirrors for these distributions are available at FreeBSD mirrors.However, I discovered the FreeBSD Snapshots site offers .iso images of the latest version of each tree, e.g., 4-stable and 5-current. You can download the .iso and finish with a system running...

Read More

Adding a New Disk in NetBSD

People complain about FreeBSD's '/stand/sysinstall' program, but I wish I could have used it yesterday when adding an 8 GB HDD to my NetBSD box. I loosely followed the official documentation but laughed when I read "Now we create some disklabel partitions, editing the tempfile as already explained. The result is...", followed by a disklabel output created from scratch! This reminded me of the "intuitively obvious" phrase from my college calculus books. Here's how I did it. This is what the disk looked in dmesg output: wd1 at pciide0 channel...

Read More

Installing Packages on NetBSD and OpenBSD

Last month I wrote about installing packages on FreeBSD. This entry covers my NetBSD and OpenBSD experiences. First, a few differences between NetBSD and OpenBSD. Root's default shell in NetBSD is /bin/sh, while OpenBSD uses /bin/csh. This means environment variables can be set in .profile for NetBSD and .cshrc for OpenBSD. FreeBSD gives users the chance to automatically retrieve packages and dependencies remotely, e.g., 'pkg_add -r mtr'. FreeBSD...

Read More

Review of Open Source Network Administration Posted

Amazon.com just posted my four star review of Open Source Network Administration. It's been nearly two months since my last review. I've been extremely busy writing The Tao of Network Security Monitoring, so reading has taken a back seat. From the review: "Open source is the wave of the future, and James Kretchmar's Open Source Network Administration (OSNA) catches that wave in fine form. Although the book is only 238 pages, it contains several...

Read More

Simple Network Health Performance Monitoring with Sysmon

Do you need a simple Web-based application to check if your systems and/or applications are alive? I learned about Sysmon when reading Open Source Network Administration. Once I wrote my own configuration file to watch my systems, I followed the book's instructions to complete the Sysmon installation. The result is the small screen shot at left. Since you don't need to spend a lot of time checking out the details of my network, you can get the...

Read More

Cisco Icons Online

Do you need networking icons for presentations or papers? Check out the completely free, non-copyrighted Cisco collection. I learned about it after reading a tip in Cisco's Packet magazine. Besides having the icons for use in OpenOffice, the zipped .pdf of conceptual icons is handy. It helps you decode Cisco diagrams by recognizing what certain symbols me...

Read More

Learning To Install Open Source Software on Solaris and HP-UX

This summer I bought an Ultra 30 workstation and an HP Visualize B2000 workstation to learn Solaris on SPARC and HP-UX on PA-RISC, respectively. Today I worked on installing open source software on each. Starting with the Sun box running Solaris 8 on SPARC, I visited Sun Freeware, an absolutely incredible site providing free compiled binary packages of key open source software. Here's a sample installation:1. FTP to the Sunfreeware site to retrieve the package for bash2. Unzip the package with 'gzip -d'3. Install the package with 'pkgadd...

Read More

Verisign Acquires Guardent for $140 Million

Big news from the managed security services space. Consolidation continues, as big companies looking for growth opportunities acquire the small fries. Today Verisign announced it bought Guardent (yes, the Guardent URL spells the company's name incorrectly) for $140 million in stock and cash. Guardent currently employees about 150 people. Update: Here's eWeek's analys...

Read More

Getting Your FreeBSD Box to Speak 802.1q Trunks with a Cisco Switch

I have the following setup on my home LAN:cable modem - cisco router - freebsd fw/gw - cisco switch - clients< The client boxes are in two separate VLANs with different address spaces. I needed a way for them to be able to talk to the FreeBSD 4.9 REL firewall/gateway without wasting two interfaces on the fw/gw. Here's how I set this up. I'm no Cisco guru so excuse my lack of shortcuts. I got some help from this how-to, this thread, and this Cisco guide. First, on the switch, I created my VLANs:gruden#conf termEnter configuration commands,...

Read More

MRTG with FreeBSD and a Cisco Router

It doesn't get much easier than this. I wanted to add the Multi Router Traffic Grapher (MRTG) to my NSM tool collection. Based on the instructions provided by Open Source Network Administration and Cisco, here's how I did it. bourque is the name of my FreeBSD 4.9 REL NSM sensor and gill.taosecurity.com is my Cisco router.First I enabled the SNMP server on the router. Replace 'public' and 'private' with other community strings, like I did. (These are examples.)gill(config)#snmp-server community public ROgill(config)#snmp-server community private...

Read More

CAIDA to the Rescue

Kudos to CAIDA for applying real research to the issue of whether the SCO Web site was hit by a DoS attack or not. CAIDA used its Network Telescopes to watch backscatter from SCO servers and confirmed SCO Web and FTP servers were indeed flooded: "At 3:20 AM PST on Wednesday, December 10, 2003, the UCSD Network Telescope began to receive backscatter traffic indicating a distributed denial-of-service attack against the SCO Group. Early in the attack, unknown perpetrators targeted SCO's web servers with a SYN flood of approximately 34,000 packets...

Read More

Creating Fake Interfaces and Bonding Them

In June I posted a way to bond two FreeBSD interfaces to a third unused interface for purposes of combining tap outputs and sniffing the result. This method used ng_one2many and was based on advice from Andrew Fleming. In July I corresponded with John Bradberry who shared his method of using ng_fec, the man-page-less Fast Ether Channel netgraph(4) module.Two months ago John posted his method, which looks like the email he sent me in July. I finally...

Read More

Bruce Schneier on Northeast Blackout

Bruce Schneier wrote about the possible role of MSBlaster in the 14 August 2003 northeast electrical blackout. He reports on the November interim report (.pdf) by a joint US-Canadian taskforce:"The coincidence is too obvious to ignore. At 2:14 p.m. EDT, the MSBlast worm was dropping systems all across North America. The report doesn't explain why so many computers--both primary and backup systems--at FirstEnergy were failing at around the same time. But MSBlast is certainly a reasonable suspect. Unfortunately, the report doesn't directly address...

Read More

US Government Security Report Card

Yesterday Congressman Putnam of the US House Committee on Government Reform announced the federal government's computer security report card (.pdf). FCW summarized the results. For the first time two agencies scored above 90%: the Nuclear Regulatory Commission earned top honors with an A, and the National Science Foundation received an A-. The grades were based for the first time in the four-year program on the Federal Information Security Management Act (.pdf) reportedly an improvement over the Government Information Security Reform Act (GISRA)...

Read More

Creative Commons

After reading why Microsoft Word is not a document exchange format, I found myself at the Creative Common Web site. Their goal is "to build a layer of reasonable, flexible copyright in the face of increasingly restrictive default rules." I found their license builder interesti...

Read More

Spammers Target Cambridgeshire Police Force

I learned of this scam via this Sophos report. Spammers are sending messages which appear to be receipts for £399.99 Apple iPods. The message lists the phone number of the Cambridgeshire Police Force in the UK as the point of contact for complaints. This sounds more like a prank than a structured attack, but the concept is sound. I imagine we'll see more of this in the future. Here's what the email looks like: Subject: Transaction Receipt (UKCards)From: "UKCards" ------------------Please note: All charges to your statementwill appear in the...

Read More

I commend the Debian project for detailing the exact timetable and methodology associated with their recent compromise. They posted a detailed report on the incident Tuesday. I found several points noteworthy. First, notice how they detected the intrusion. Sharp admins knew something was amiss, and a host-based IDS detected file changes: "On the evening (GMT) of Thursday, November 20th, the admin team noticed several kernel oopses on master. Since that system was running without problems for a long time, the system was about to be taken into...

Read More

1500 Helpful Review Votes at Amazon.com

I'd like to thank everyone who's voted my Amazon.com reviews to be "helpful" over the last 3+ years. I started seriously reviewing books with Radia Perlman's Interconnections, 2nd Ed in May 2000. Since then I've written reviews of 116 books on security and computing topics. Some reviews of poor books caused quite a stir. Several were pulled only to have me resubmit "just the facts" in the form of direct quotes. Others caused me to argue with...

Read More

Exploiting Cisco Routers Article

SecurityFocus published the sequel to an article on exploiting Cisco routers. This has been happening for a while but this article spells out the detai...

Read More

Quirks of NetBSD

Exactly two months ago I reported installing FreeBSD, NetBSD, OpenBSD, and Debian on my laptop for test purposes. Yesterday I tried to upgrade a different box from FreeBSD 5.1 RELEASE to FreeBSD 5.1 CURRENT. I've had no luck getting my SMC 2632W or 2602W wireless NICs, or an Orinoco Gold wireless NIC, to work in any modern version of FreeBSD. (I had the 2632W working with FreeBSD 4.5 and earlier using this hack.) I thought trying CURRENT might be a good idea but the install failed. Wireless support is my biggest grievance with FreeBSD. I...

Read More

Snort Add-Ons

Over the last few days I've reviewed several add-ons for Snort. First, everyone using Snort knows about Barnyard. Barnyard processes the output from the spo_unified plugin, which Marty first described in June 2001. spo-unified creates two log files. To paraphrase Marty, the alert file contains event data (generator, sid, rev, classification, priority, event_reference), timestamp, source IP, destination IP, source port, destination port, protocol, and TCP flags (if applicable). The log file contains the event data, flags that indicate the...

Read More

Voice-Based Fraud Detection

The Register reports on the latest in fraud detection: "Online insurer Esure is to use technology that recognises when a speaker is under stress in a bid to detect fraud. The company hopes using voice risk analysis (VRA) technology will speed genuine claims, cut fraud and make its claims process more efficient... VRA - which identifies micro changes in the voice that can occur when a speaker is showing higher levels of stress - will be used by esure from 4 December. The company is keen to emphasise that the technology is a 'stress detector' not...

Read More

According to Reuters, a 38 year old Home Depot worker was arrested for stealing laptops from Wells Fargo. From the article: "Police recovered the equipment at Krastof's home, along with equipment used for scanning identity cards and checks, he said. 'He is a low-level ID theft kind of guy,' White said of Krastof. Krastof told police that he did not know that sensitive data was on the computer, according to [policeman] White. Wells Fargo will be able to keep the $100,000 reward it had offered in the case, since the arrest was made from regular...

Read More

Ron Gula Replies to Information Security Review of NeVO

You may have read the fairly critical Information Security review of NeVO by Tenable Security. CTO Ron Gula posted a response to the focus-ids group which makes for good reading: "Since NeVO is on 'all' of the time and it matches for specific vulnerabilities, that means that the vulnerability and IDS correlation which occurs at the Lightning Console is that much more accurate. Our concern at Tenable is that doing correlation based on 'old' vulnerability data (like on a month old Nessus scan) or 'relavent' vulnerability data (like all of the IIS...

Read More

Tepatche - Automatic OpenBSD System Patcher

I continue to watch for tools to keep BSD systems up-to-date. I learned of a new application for OpenBSD called Tepatche. The author wrote this article for next month's Sys Admin magazine. He also mentions the openbechede package management project. Incidentally, Colin Percival reports he's attained the $1000 mark needed to buy a new box to provide freebsd-update binary updates. Hopefully we'll see them available for the 5.X tree soon. While poking around Amazon.com I found a new BSD book will be published in the spring: FreeBSD and OpenBSD...

Read More

Wells Fargo Offers $100,000 For Info Leading to Conviction of Laptop Thief ZDNet reports the following:"Wells Fargo said on Friday it had offered a $100,000 reward for information leading to the arrest and conviction of the burglar who stole a bank consultant's computer that had sensitive customer information on it. The computer was one of several stolen earlier this month from the office of an analyst for the bank in Concord, California, the bank...

Read More

Finding the Name of FreeBSD Packages to Install

I usually install FreeBSD applications using the ports system, but I wanted to know how to use the package collection as well. I wondered how to quickly locate the name and URL of a package so I could pass them as a parameter to pkg_add -r. Using this command FreeBSD fetches the package specified and installs any dependencies automatically.I found the answer at the FreeBSD Ports Changes page. Here you can query for a package (or port) by name,...

Read More

Tim O'Reilly on Computer Books

Tim O'Reilly of O'Reilly publishing answered questions on the economics of writing on computer topics. I found this excerpt interesting: "Your choice of publisher helps [a book be successful]. The clearest lesson from Bookscan (to refer to the data that started this thread) is that the market is consolidating. Fully 80 percent of the market shown by Bookscan (about 65-70 percent of U.S. domestic retail sales, including online accounts) is owned by Pearson, Wiley, O'Reilly, and Microsoft Press, in that order. If you add Osborne and Sybex, you get...

Read More

Other Tidbits on SSH, IRC, and other Topics

I needed to bounce through a couple systems while working on a hostile classroom network this week. I found this book excerpt which explains how to chain SSH connections. I started using the EPIC IRC client on FreeBSD and I wanted to use a customization script. I remembered using Splitfire and found it to be useful. In #snort-gui we've been using Pastebot to provide chunks of text via HTTP rather than IRC on homefries. Rob Lee's incident-response.org domain registration apparently expired and was scooped by someone else. You can access Rob's...

Read More

PostgreSQL 7.4 Released. Watch Out For MySQL "Gotchas"

PostgreSQL 7.4 was released this week. We use MySQL in the Sguil project but we used PostgreSQL with older NSM tools. I learned about this MySQL "gotchas" site showing odd MySQL behavior. This could prompt a war between the MySQL and PostgreSQL communities.Speaking of wars, I ran across a site which claims to benchmark various UNIX operating systems. The results caused a crazy thread among OpenBSD use...

Read More

What Makes For Credible Certifications?

Peter Stephenson contributed to a SC Magazine article that featured criteria for credible certifications. I found his comments worthwhile:"The major question to be asked about certifications and their value is: 'Where does the cert come from and what are its objectives?'A good industry certification will have several recognizable components if it is to be credible:It is based upon an accepted common body of knowledge that is well understood, published and consistent with the objectives of the community applying it.It requires ongoing training...

Read More

Network Security Monitoring Saves My Bacon

Long-time readers of this blog know I subscribe to a security theory called network security monitoring. Two of NSM's principles are "some intruders are smarter than you" and "intruders are unpredictable." Believing these principles changes the way defenders look at watching their networks. If you assume a smart, unpredictable enemy, you have to take as many defensive actions as possible in the remote hope of catching a bad guy.This morning I...

Read More

TruSecure: "k3wl ," Like "Hackweiser and G-force Pakistan"

The BBC wrote an article about the threat intelligence group, "codename IS/Recon (Information Security Reconnaissance)." They're TruSecure's "moles" -- people who befriend the "underground" and acquire information on their intentions and capabilities. The national intelligence community calls that "human intelligence," or HUMINT. The article claims TruSecure "currently tracks more than 11,000 individuals in about 900 different hacking groups and gangs." It also states they collect "200 gigabytes of information a day," which "has enabled the...

Read More

Mapping the Internet on a Dare

Slashdot reported on the Opte Project. It's a single guy who's mapping the Internet using code he wrote. Commercial companies like Lumeta provide much more enhanced functionality, but this is still a cool hack. The Slashdot thread features commentary by Hal Burch and Fyodor, and a useful summary of similar projects. The image at left is supposedly "1/5 of the Internet," but as one Slashdot reader mentioned, it looks a lot like a brain! Given Google has replaced the brain of many people, I imagine this image is appropriate. ...

Read More