Yea, you read that right. Three commands and you can run a pen-test on your website/webserver. So, how?

kelvin@home:~$ sudo apt-get install nikto  
kelvin@home:~$ sudo nikto -update  
kelvin@home:~$ nikto -h www.thoughtdeposit.net

As you can see, Nikto is a web server scanner, apparently for over 3200 dangerous files/vulnerabilities. Additional features can be seen at the Nikto website, yet you will certainly want to add this old gem to your webserver toolbelt as soon as possible.

For those of you not needing Apache and the whole kitchen sink, [insert reason here], Lighttpd is a very attractive contender. For me, it has a small memory footprint, which is highly appealing. However, getting SEO urls to work (i.e. utilizing rewrite), isn’t too straightforward.
Tada! A little research yields two helpful links: one at lighttpd.net regarding how to use ModRewrite and another showing how to slightly modify the .htaccess file used by OpenSEF and Apache.
So…

1. Flush/clear any caches available
2. Make sure site is listed in OpenSEFs manager inside Joomla
3. Make sure SEO is Enabled insided the Joomla ‘Site Configuration’
4. Change your host conditional statement so it matches this:

$HTTP[\"host\"] =~ \"(^|\\.)yourdomainname\\.com$\" {
     server.document-root = \"/var/www/your/domainlocation/\"
     url.rewrite-once = (
          \"^images*\\.(jpg|jpeg|gif|png)\" => \"$0\",
          \"^/administrator.*$\" => \"$0\",
          \"^/mambots.*$\" => \"$0\",
          \"(/|\\.htm|\\.php|\\.html|/[^.]*)$\" => \"/index.php\"
     )
}

Clear your browser cache, and check it out. If it doesn’t work, you can try to “Delete All” URLs inside OpenSEF, and then your site will rebuild as necessary. Another note, as you can maybe tell by the above ruleset: you can have rewrite ignore directories. Just include:

\"^/directory.*$\" => \"$0\",

I’ll admit, I think one of the thickest barriers to entry regarding Linux is variety. I love variety, but general end users don’t adjust well to change (IMHO). Thus enter the stage: Portland. So, what does this mean to the end user? This means that, eventually, the UI throughout linux will all look similar – regardless if it is designed to utilize GTK, QT or anything else (that is, if it is built off the Portland standard).

Sweeeet.

And as a runner-up, worth mentioning, the user driven Tango Desktop Project

I like most standards, I can’t deny it. One thing that I find too humorous is the amount of sites that are not valid, even sites that claim they are. One tool in my box is HTML Validator, an extensioin for Firefox. A nice little icon appears in the lower right, indicating whether a page is valid, not-so-valid, or really-not-so-valid. Makes it easy to check your own sites, and others.

This little process, a total of two lines, took way to long to figure out.

First, we convert the VMware avi (VMnc format) to the Microsoft avi format.

 mencoder -of avi -ovc lavc movie.avi -o movie2.avi 

Next, we convert the Microsoft avi format to FLV format.

 ffmpeg -i movie2.avi -r 12  -b 100 movie.flv 

You can play around with the -r switch (rate per second) and the -b switch (bitrate). But, if those get larger, so does your FLV file.

Status: ✅

After consulting several vendors in Kuala Lumpur, I was able to get the right Cisco with the right IOS. One of their technicians came and installed it, and that night I hooked it up to our VPN. Besides the fact that the internet distribution is still a little shady in Kuala Lumpur, the connection remains somewhat stable, and yet another node is brought on the company intranet.

Information is power, or so many of us think. As an I.T. administrator, no matter what the level, it is of my opinion that knowing what your network is doing is important. This includes regular operation, what it could do in the event of a disaster, or when it is just slightly not functioning.

Jeez, I’m personifying a computer network.

As I wrote in another post, I setup network monitoring for several nodes. But, what happens when an anomaly occurs? This is the story of hunting down a worm/virus, from far, far away.

While I can’t go into too many details, for obvious reasons, I’ll try and tell the story as-it-The overall process took for cleaning took several weeks to resolve, although minimizing the effect occurred the second the anomaly was discovered. The lengthy time to resolve is mainly due to the time to request computers to be patched/updated/scanned (like I said, this anomaly was with a large branch office in another country).

I’ve blurred out any relevant information for obvious reasons.

Almost immediately after setting up monitoring I noticed something strange occurring. As you can notice from the below graph (from nfsen), something is obviously wrong. If you can’t notice it, that big spike, in what we’ll call Network Green, should give you a clue. Now, I can expect a spike during lunch when people watch movies or send their 50mb picture email attachments, but this spike isn’t always at noon, and as we’ll see, it sure ain’t emails.

Find the anomaly:

So, let’s try to find out what is going on. Indeed, there are some analyzers of flow traffic that can display the types of traffic, and are useful if the issue isn’t apparent, but NFSEN’s filtering capabilities haven’t failed me yet (although seeing a graph with types of traffic is useful).

We can now take a look at what is going on. Let’s next just take a look at the statistics offered:

I’ve left the dates in there for you to see something interesting: Network Green transferred over 15 GIGS of UDP traffic. If we think back to networking basics, we can remember that UDP is a connectionless protocol. So, what uses UDP? DNS/TFTP, some streaming media, VoIP, and several types of encryption. That said, there isn’t any legitimate reason for any of the employees to use that much bandwidth, of this type. Only one thing seemed apparent: somebody was massively downloading from some p2p source, or we had a worm/virus.

Now that we know it is UDP related, let’s find out more. I’ve filtered by UDP in the graph just so you can see how much traffic that really is. Let’s select the anomaly. We first select the left side…

Then we select the right side, and we have a pretty green highlighted section.

Now it is time to hunt the person down. Using NFSEN’s built-in filtering capabilities, I was able to find which computer was being naughty. I first created the filter rule for the appropriate network (IP obscured for confidentiality):

Then could see the obvious place to look next:

As is highlighted, you can see that one IP is continually transferring UDP traffic over port 14857. Well, it certainly isn’t DNS or TFTP! (But we knew that when 15+ gigs was transferred:) When we look at the Top 10 Src IP Addr, ordered by bytes, we can see that one IP transferred a whole lot of traffic.

What now? I pulled out the nmap/nessus combo and tried to see what was running. Telneting to port 14857 didn’t return any form of hello message, and nmap didn’t return any known services for whatever was on port 14857. At this point I sent out the emails/documentation to managers in the remote office requesting for anti-virus to be checked and loaded onto any computers. Next, I blocked the port, from that computer, from sending outgoing traffic. Occasionally, as you can see in the graph, another computer or two would show the same symptoms, but within two weeks the oddity had disappeared. Thanks you NFSEN and Cisco.

Status: ✅

One of the greatest benefits, in my opinion, of Cisco routers is the ability to generate netflows. In a lot of ways, I would prefer to do this than implement some appliance (say, using ntop). The ability to analyse the amount of traffic becomes extremely valuable. Not only can one measure the amount of traffic, but the type of traffic that is being generated through the network.

Using a similar configuration, I setup all four Ciscos to export netflows that stream back to a server in the States. I decided to use nfdump as a collector. After the dumps are collected, it is simple to setup nfsen to parse and analyse the received flows. It even allows you to generate really pretty graphs.

So, why do this? For starters, collecting netflows allows the basic analysis of data, which can tell you several things. You can know instantly how saturated your connection is, if there are any anomalies, if there is any file sharing going on or when heavy traffic usage is. For instance, if the connection becomes slow during the end of the day, you can analyse what protocol is used the most during that time. Or, as was my case, hunting down virus infected computers that were fully saturating a 10mbit pipe.

A week in the life of NFSEN:

Abstract

The following is a Quick n’ Dirty method at implementing a very simple firewall.

Locate IPTables

Depending on your server, first locate iptables:

 [root@vps /]# which iptables 

Create IP Based Accept/Deny

Create a whitelist (ignored by firewall) or blacklist (packet dropped) if you wish:

 [root@vps /]# vi /usr/local/etc/whitelist.txt 

And/Or…

[root@vps /]# vi /usr/local/etc/blacklist.txt 

In each file, add each IP per line, for instance:

 4.2.2.2 66.35.15.20 

firewall.sh Script

Then put the following in /etc/init.d/firewall.sh, and edit to fit your needs:

#!/bin/sh
#
## Quick n Dirty Firewall
#
## List Locations
#

WHITELIST=/usr/local/etc/whitelist.txt
BLACKLIST=/usr/local/etc/blacklist.txt

#
## Specify ports you wish to use.
#

ALLOWED="22 25 53 80 443 465 587 993"

#
## Specify where IP Tables is located
#

IPTABLES=/sbin/iptables

#
## Clear current rules
#

$IPTABLES -F
echo 'Clearing Tables F'
$IPTABLES -X
echo 'Clearing Tables X'
$IPTABLES -Z
echo 'Clearing Tables Z'
echo 'Allowing Localhost'

#Allow localhost.
$IPTABLES -A INPUT -t filter -s 127.0.0.1 -j ACCEPT

#
## Whitelist
#

for x in `grep -v ^# $WHITELIST | awk \'{print $1}\'`; do
        echo "Permitting $x..."
        $IPTABLES -A INPUT -t filter -s $x -j ACCEPT
done

#
## Blacklist
#

for x in `grep -v ^# $BLACKLIST | awk \'{print $1}\'`; do
        echo "Denying $x..."
        $IPTABLES -A INPUT -t filter -s $x -j DROP
done

#
## Permitted Ports
#

for port in $ALLOWED; do
        echo "Accepting port TCP $port..."
        $IPTABLES -A INPUT -t filter -p tcp --dport $port -j ACCEPT
done

for port in $ALLOWED; do
        echo "Accepting port UDP $port..."
        $IPTABLES -A INPUT -t filter -p udp --dport $port -j ACCEPT
done

#
## Drop anything else
#

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -j DROP
$IPTABLES -A INPUT -p tcp --syn -j DROP

Start Firewall

[root@vps /]# chmod 700 /etc/init.d/firewall.sh
[root@vps /]# /etc/init.d/firewall.sh 

As you may know, I’ve been taking a few of the MCSE:Security tests when I have time.  This afternoon I passed the 70-291, which is claimed to be the hardest of all the tests (and of the one’s I’ve taken so far, I would concur).

 I’m taking my tests at the Geego Systems center.  If you are in Taipei for some reason, and needing a place to take some tests, this place is a safe bet.  Their staff is pretty darn cool, and they let me drink as much tea as I want.

 Anyways, the test.  I can’t talk about any of the questions, ‘cause I’ve “signed” an NDA, and Microsoft will take away my certification(s).  But, I’ll tell you what I did to study.

I took three approaches, as I do to all the tests.

1. Get an Exam Cram2 70-291 book, and read it through, cover-to-cover.  This, in my opinion, is a great way to get to know the language used, and some of the concepts.  Exam Cram 2 books do a pretty good job of cutting out the fluff.
2. I have a copy of Mastering Windows Server 2003 that I picked up in Hong Kong last year.  It doesn’t do a good job of cutting out the fluff, which makes it a great resource to flip through.  It is seems to have almost every tutorial you could imagine.  The one downside though, as there always is one, is that the book is starting to get a little dated.  Either way, this has to be one of the most complete books on 2003 I have ever flipped through.
3. It is all fine and dandy to read, but it is my belief that everything you read, you should do.  My little lab (see end of post for my cool diagram) seems to suite me quite well.  If you have read this far, and want some things to do in your test lab, this is what I would recommend:

• DNS - Know how to add CNAME’s, A records and play with MX records.  Know how to prioritize mail servers.  Know how to create aliases.
• WSUS - Sadly, many of the books I’ve seen (or the two listed above), don’t talk about WSUS.  I believe Microsoft just made the change on their tests, but it is on there.  And they hit this topic pretty hard, so be prepared.
• Security Templates  - Creating baselines and doing audits
• Network Security - Configuring firewalls, configure VPN between two networks (RRAS)
• DHCP - Creating scopes, relay agents and reserving client addresses
• TCP/IP -This test has a pretty big backbone of TCP/IP.  Know how to subnet, and general networking terms/methods.  Picking up a book on the Network+ certification, such as the Exam Cram2 Network+ book (which I read to refresh myself, and pass the Network+ test), could be useful.

Luckily I was able to get a few years of some real life hands-on experience with installing, implementing and managing AD through a previous I.T. position.   Practice always helps though.  Good luck!