Feb 212012
 

FSMO roles are tasks that domain controllers have to do in an Active Directory environment, they control the proper operation of the network. Each role can be held by only one server. These are ways to check who currently holds different FSMO roles and transfer them from one server to another, taken from various KB articles, condensed here for future reference, as well as a short explanation of what those roles are.

FSMO description
View role holders
– command line
– GUI
– script
Change roles
– command line
– GUI
Continue reading »

Jan 212012
 

The real ones, not the Debian versions, Iceweasel and Icedove. Obviously, one way is to get them straight from mozilla, but I’d like auto updates without much fuss. There’s Linux Mint, which is basically Debian, but kept up to date and without all the trouble that comes with using only free software. So one could add their repo in Debian.
Continue reading »

Jan 112012
 

A very basic .bat that archives a bunch of files using 7zip in a different package each day of the week (i.e. bak_1.7zip to bak_7.7zip), then copies the archive to a different machine in a shared folder and fires off an email with the result. Effectively a week’s worth of full backups. This is NOT real backup.
Continue reading »

Dec 192011
 

The goal was to set up a simple syslog server for centralized logging, able to receive from any syslog-enabled device, but also able to talk to machines with more advanced capabilities, like logging over TCP/IP so messages wouldn’t be lost if connection dropped for a while or sending messages over encrypted channels. Of course, it should also be able to send those messages to any file based on sender, time, or any other arbitrary condition. rSyslog fits nicely. As a bonus it also sends them to a database to be picked up by log analyzers. syslog-ng is the alternative.
Continue reading »

Dec 022011
 
Planescape:Torment modded to 1280x720

Planescape:Torment. Considered THE role-playing game by many. There’s no homepage anymore, so here’s the wikipedia page. Well worth playing if you like reading stories, it’s like an interactive book, one of the best of it’s kind. Not so much if you’re into bashing high-poly skulls. But this isn’t a review.

The goal was to play it on Linux as it was intended to be played, full screen, without it crashing on alt+tab and such, while doing as little setup as possible. It works in Wine with some tweaks, but keep an eye on GemRB, the open-source implementation of Bioware’s Infinity Engine. Given the changing nature of Wine and Linux, this is WorksForMe quality, your millage might vary.

Continue reading »

Nov 292011
 

Philosophical ramblings

Why? Two reasons, network administration and security.

From an administrative POV the server should be reliable, placed on a central point on the network, able to directly reach as many of the monitored items as possible so that the exact point of failure can be easily determined. It can’t do much monitoring if it’s not working due to hardware problems and by making it reach as many things as possible in as few hops as possible the chance of one failure on the network hindering it’s ability to monitor the rest of it is reduced.

From a security POV this is where all data about intrusions, successful or not, should be gathered. This is where one could start looking in order to find the what, when and how of an intrusion. The server must be online and working in order to gather the data, so it should be a secure server, preferably not directly accessible from the outside, to shield it from DoS attacks. Also, maybe use a different OS for it. If, say, the network is comprised of Linux servers and the attackers use some BigBad 0day exploit against them, this one being a BSD could stop them and give the administrators time to close down the network while still having enough data to determine later how to proceed.

So, stable and secure. Sounds like all the other servers. The catch is, this one isn’t the average production server, it doesn’t need to be open to users or the world, only the network administrators should have access, so security isn’t that hard to achieve. Having a different OS and a different authentication mechanism from the rest of the network (no domain integration, no common passwords, etc.) helps. Security is done in layers.

For the sake of shortness, let’s call this server BigBrother, aka BB.

Server roles

Centralized logging – main role, security-wise. Gathers all the logs from other network devices. Assuming intruders that do a bit more than just some random SQL injection, the first thing they’ll probably do would be to erase all traces. Meaning wipe out the logs, either erase them completely or just the parts that document how the intrusion happend, if they want to remain hidden in the system. Those logs would still be on the logging server though. Step two, set up a mechanism that would (automatically) erase traces of their activity in the future. One way would be to inject a kernel module that would block the unwanted log messages from ever being sent in the first place. Another way would be to modify something in the system, like the syslog binary, so the messages don’t get written to disk. Finally, a third way would be to clean the logs after they are written to disk. BB doesn’t help much in the first case, but in the second case, if all the modification does is stop the messages from being written to disk they might still get sent over the network. Third case, BB’s got them all anyway. One could even compare the local and remote logs at the end of the day and see if anything is missing. Of course, nothing stops the intruders from modifying the conf file, but that might trip some other alarm, or /etc/syslog.conf might not be the real file. Layers and misdirection.

Network monitoring – main role from a network administrator’s point of view. Keeps an eye on other devices and services on the network, make sure they do their job. Maybe measure and record performance, draw some pretty graphs and reports for whoever requests them.

NTP server – in order for the centralized logging to make sense all the devices on the network should have the same time so an NTP server is needed. May as well be this one.

Log parser – since all logs from the network come here and they can be brought on this server in a common format it only makes sense that it should do the parsing of it too. It’s all logged in real time so it can monitor for security threats, mail/web/proxy statistics, basically anything that the original host logs to syslog, BB can parse. The advantage is that it can be configured for each type of log once and work for any new host brought to the network.

IT inventory – it already watches a good chunk of the network in it’s monitoring role, so this could be extended to keep track of all the IT assets, hardware and/or software. Once a new machine is brought into the network it’s data could be input here, monitoring be automatically set up and maybe keep an eye on what software is running on it. However, this role is limited by the requirement that as few people as possible have access, so if, for example, the accounting department needs to be able to see and/or manipulate data, this shouldn’t be the machine to do it.

IDS / IPS control – since in it’s monitoring role it should have access to the whole network this is a good candidate for the server that controls any kind of intrusion detection/prevention system installed on the network. It can distribute configurations/signatures for the other IDS/IPS agents.

Repository – might or might not make sense on your network. It can be a package repository, compiling/downloading the necessary updates/packages for all the OSs on the network and a configuration repository, keeping all the conf files for all the servers in one place. One server crashes, just reinstall and instruct it to pull the conf files from the repo. As long as they are all kept in sync. This means that those other devices have access to this server though. Or there might be other conflicting requisites for the different devices, so it might or might not work.

Tools
There are many ways to achieve the goal and many too programs that can be used, some are free, some cost a lot of money, some are easier to set up than others.

Rsyslog – an advanced syslog server, free for commercial use, commercial support also available. It can do log filtering on virtually anything, it can log to a database, to a text file, to different files based on host/time/service and a lot more, it can listen for UDP or TCP connections, it can encrypt traffic. It’s fast and backward compatible with the standard syslog. It’s got a good community and active development. The other one is syslog-ng, though I couldn’t say which one is better. Rsyslog seems to have a slight edge.

Nagios – originally NetSaint, it’s a network monitoring application. Free, open source, highly configurable, it can be as lightweight as you want it to be. A commercial version is also available. Uses plugins, has a big community. Whatever you want to monitor chances are someone wrote a plugin for it. It can do (some) network discovery via nmap but it’s not it’s strong point. Basically it will monitor whatever you tell it to monitor whenever you tell it to and it will alert in whatever way you have available, but you have to tell it to. Online demos of the commercial and free products.

Adiscon LogAnalyzer – web interface to reading logs. Free to use, commercial support available in some form. Check the online demo to see what it can do.

Splunk – it can monitor almost any kind of log from any kind of device and generate reports/alerts or just display the data. Free for up to 500 MB a day of logs, commercial support available. Setting it up is easy and it looks like it can do a lot of things right. Commercial version can also do some more things, a quick runup of the features of each version here

Cacti – the new MRTG. Monitors devices over SNMP and draws pretty graphs of how busy they are. Free, open source, good community, as with Nagios if you want to monitor something chances are someone already did it. And even if not, it’s relatively easy to set up provided you know what you’re looking for in the SNMP tree.

Open-AudIT – inventory management. Basically it gives you some scripts to run on computers that will upload data about the hardware/software installed to the server. With a little bit of work one can automate big part of it in order to keep a closer eye on the network. Source of v2 is here and it looks like they could really use some donations.

OSSec – “Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response”. It’s developed by TrendMicro, commercial support is available. Runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows and it can be set up stand-alone or as server/agent in a centralized management solution.

Snort – open source network intrusion prevention and detection system (IDS/IPS). That’s “network-based” IDS as opposed to OSSec which is a “host-based” IDS. Basically what it does is scan the packets as they move around the network and react if it detects a threat. Commercial support and signatures available, free to use otherwise, strong community.

Gnokii – CLI tool that can talk to mobile phones or GSM modems and make them do stuff. Like send SMS. Not exactly server role, but if you have a GSM modem, using nagios + gnokii you can set it up so it alerts you with an SMS if something goes wrong. As long as the modem can send SMS it doesn’t tie you up to any network. It can also be set up as an SMS gateway so that it transforms emails or other forms of text into SMS. If the network doesn’t work at all you won’t get the warning emails, but you will get the SMS, it’s really a cool thing to have.

VirtualBox – another program that doesn’t have an obvious place here, but using it can give the admin a lot of flexibility. One could set up a network between virtual machines and host, a network that would be hidden from the rest of the world. Different machines could be set up for different roles. If, say, the host is Linux but there’s a need to run a Windows-only tool a virtual machine can be used. And it would all still be on the same physical hardware, it could still have one entry point protected by one firewall and be easily backed up and restored.

Nov 252011
 

According to the comments this is supposed to be a very basic echo server. It was written for school many years ago and I didn’t turn out to be a C coder after all, though I remember this being fun, so for anyone stumbling upon this: DISCLAIMER – apparently it was six in the morning and looks like I was a bit drunk too, so, seriously, don’t try it if you don’t know what it does. You shouldn’t run unknown code on your system, specially C code found on some random site, if anything happens, I don’t care. Just in case this does screw something up, drop me an email so I can laugh at you. Copy&pasted verbatim for archival purposes. Other than that it’s perfectly safe and no one lies on the internet.
Continue reading »