Archive for December, 2009

realtime network monitoring tools

Thursday, December 24th, 2009
  1. tcptrack :http://www.rhythm.cx/~steve/devel/tcptrack/release/1.3.0/docs/tcptrack.1.html
  2. ngrep : http://www.linux.com/archive/feature/46268
  3. ntop :
  4. mrtg:
  5. vnstat: http://humdi.net/vnstat/

Deleted/Corrupted/Wrong Type/No IOS image and router won’t boot(cisco 2600)

Thursday, December 24th, 2009

Deleted/Corrupted/Wrong Type/No IOS image and router won’t boot: http://www.dslreports.com/faq/13824
Break Key Sequence: http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a0080174a34.shtml
ROMmon Recovery for the Cisco 2600 Series Router:
http://www.cisco.com/en/US/products/hw/routers/ps259/products_tech_note09186a0080094a0b.shtml
How to Download a Software Image to a Cisco 2600 via TFTP:
http://www.cisco.com/en/US/products/hw/routers/ps259/products_tech_note09186a008015bf9e.shtml

For Cisco 2600 Router :

(a) Connect to the router via Teraterm (console port)

(b) Now Turned on the router

(c) Press ALT+b to go to rommon mode

(d)

     rommon 16 > IP_ADDRESS=192.168.1.66      ( Ip of the Router)
     rommon 17 > IP_SUBNET_MASK=255.255.255.0
     rommon 18 > DEFAULT_GATEWAY=192.168.1.254
     rommon 19 > TFTP_SERVER=192.168.1.64
     rommon 20 > TFTP_FILE=c2600-is-mz.113-2.0.3.Q
     rommon 21 > TFTP_CHECKSUM=0

Note: As detailed in Cisco bug ID CSCdk81077 (registered customers only) , for Cisco 2600 and 1720 Series Routers running the ROM monitor command tftpdnld, the command might report a bad checksum comparison when it loads Cisco IOS software images of Cisco IOS Software Release 12.0(2.2)T or later.

Note: As a workaround to this problem, set the ROM monitor variable TFTP_CHECKSUM to 0. This is done by defining the variable TFTP_CHECKSUM=0 from the ROM monitor set command, and then proceeding with the tftpdnld procedure.

)

   rommon 22 > tftpdnld

After finish the upload the new ios, type

rommon 23> sync

Then reboot the router agian,it will show the old ios again.

How to install/configure bind in linux

Friday, December 18th, 2009

a)yum install bind bind-chroot bin-utils

b) go to /usr/share/doc/bind-9.3.6/sample [ here all the sample files should be installed]

c)cp -R var/* /var/named/chroot/

d)cp -R etc/* /var/named/chroot/

cp /usr/share/doc/bind-9.3.6/sample/etc/named.conf /var/named/chroot/etc/

[note : if named.conf is not that location then type : locate named.conf, it will show you where is the named.conf]

Cisco Access Control Lists (ACL) (Web link)

Wednesday, December 16th, 2009
  1. http://www.networkclue.com/routing/Cisco/access-lists/index.aspx

Harden Cisco IOS Devices

Wednesday, December 16th, 2009

Website link :

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

useful apache server documentation link

Tuesday, December 15th, 2009
  1. Prefix for configutraion: http://httpd.apache.org/docs/2.2/en/programs/configure.html#installationdirectories

Disclaimer

Tuesday, December 15th, 2009

Disclaimer: The information and content provided on this website is for reference and informational purpose only. I cannot guarantee for accuracy and completeness for any information or content published on this site. Use of the information and content on this site is at your own risk. I accept no responsibility for any loss or damage arising from the use of this website either directly or indirectly.

Fosiul Alam

How to install mod_security from source

Tuesday, December 15th, 2009

Ref :http://www.modsecurity.org/documentation/modsecurity-apache/2.5.11/html-multipage/installation.html

Mod security works with apache. So You will have to define where is your Apache location (if you installed Apache from source)
Here I have installed Apache in /usr/local/apache Directory
Note:
Make sure you have mod_unique_id installed :

run the bellow command to make sure mod_unique_id is installed .

bin/apachectl -l | grep  mod_unique_id.c

if this module is not installed then you will have to recompile your Apache with –-enable-unique-id
Example:

./configure  --prefix=/usr/local/apache --with-included-apr --with-php --with-mysql --with-susexec --disable-info --with-mpm=prefork --enable-so --enable-cgi --enable-rewrite --enable-ssl --enable-mime-magic --enable-unique-id

To install Mod_Security you need bellow rpms :

yum install pcre-devel
yum install apr-devel

Download modsecurity from :http://www.modsecurity.org/download/index.html

Configuring and installing Mod_Security

 
a)Download and upload modsecurity-apache_2.5.12.tar.gz in /tmp directory
 
b) tar -xvzf modsecurity-apache_2.5.12.tar.gz
 
c) cd modsecurity-apache_2.5.11
 
d) cd apache2
 
e) ./configure --with-apxs=/usr/local/apache/bin/apxs --with-pcre=/usr/bin/pcre-config --with-apr=/usr/local/apache/bin/apr-1-config --with-apu=/usr/local/apache/bin/apu-1-config
 
f)make
 
g)make intall

Configure Mod security with Apache:

a)Make a directory named modsecurity    under /usr/local/apache/conf/ and copy all the modsecurity rules there
note:
modsecurity rules will be found in modsecurity source directory "/tmp/modsecurity-apache_2.5.11/rules"  
(b) Insert the bellow lines  line in httpd.conf file(/usr/local/apache/conf/) 
    Include conf/modsecurity/*.conf
 
C)Also insert bellow lines in httpd.conf(/usr/local/apache/conf) 
 
   LoadFile /usr/lib/libxml2.so
   LoadFile /usr/lib/liblua-5.1.so  (optionals)    
          Note: This library is optional and only needed if you will be using         the new Lua engine.In that case you will have to  use      -–with-lua=PATH prefix with mod security installation. Ref : </span>http://www.modsecurity.org/documentation/modsecurity-apache   /2.5.11/html-multipage/installation.html    
   LoadModule security2_module modules/mod_security2.so 
           Note: This line should be automatically inserted while installation of mod security.If not then insert by your self.

Now Stop and restart apache service. and check apache error_log for this kind of entry :

[Tue Dec 15 12:14:10 2009] [notice] ModSecurity for Apache/2.5.11 (http://www.modsecurity.org/) configured.
[Tue Dec 15 12:14:10 2009] [notice] Original server signature: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5

Enabling mod_security:

By default , Mod_security rules is enabled, but you can check it from here :
modsecurity_crs_10_config.conf  ( location:/usr/local/apache/conf/modsecurity/)
Make sure bellow line is set to ON as bellow
 SecRuleEngine On,

Adding rules to mod_security :

Copy all the rules from base_rules directory to modsecurity directory 
 cp /tmp/modsecurity-apache_2.5.12/rules/base_rules/* /usr/local/apache/conf/modsecurity/

Note : To test your rules you can set SecRuleEngine DetectionOnly in modsecurity_crs_10_config.conf file ( location:/usr/local/apache/conf/modsecurity/) It will show you how all those rules are performing.

Now Stop and restart apache again, and look at error_log, access_log for modsecurity activity

Prefix for modsecurity installation

-–with-apxs=FILE FILE is the path to apxs; defaults to “apxs”.
-–with-pcre=PATH Path to pcre prefix or config script
-–with-apr=PATH Path to apr prefix or config script
-–with-apu=PATH Path to apu prefix or config script
-–with-libxml=PATH Path to libxml2 prefix or config script
-–with-lua=PATH Path to lua prefix or config script (optional)
-–with-curl=PATH Path to curl prefix or config script (optional)

Extra Notes :
1. Please create a directory “mkdir /usr/local/apache/conf/modsecurity/data”
and add bellow lines in modsecurity_crs_10_config.conf

  SecDataDir /usr/local/apache/conf/modsecurity/data

If this lines is missing you might see this kind of error :
[Thu Dec 10 10:10:54 2009] [error] [client xx.xx.xx.xx] ModSecurity: Unable to retrieve collection (name “ip”, key “xx.xx.xx.xx”). Use SecDataDir to define data directory first. [hostname “xx.xx.xx.xxx”] [uri “/”] [unique_id “SyC7Hn8AAAEAABLHj9gAAAAL”]

Yum repo list for Centos

Monday, December 14th, 2009

For 32 bit kernel

Repo1:

Download :
 
wget -c http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
 
Install : rpm -Uvh epel-release-5-3.noarch.rpm

Repo2:

Download :
 
wget -c  http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
 
Install :
 
rpm -Uvh rpmforge-release-0.3.6-1.el5.rf.i386.rpm

For 64bit kernel :

Repo1:

Download :
 
wget -c http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-3.noarch.rpm
 
Install : rpm -Uvh epel-release-5-3.noarch.rpm

Repo2:

Download :
 
wget -c  http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm
Install :
 
rpm -Uvh rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm

How to display security updates by yum

Monday, December 7th, 2009

Ref: http://magazine.redhat.com/2008/01/16/tips-and-tricks-yum-security/

Ref: http://www.cyberciti.biz/faq/redhat-fedora-centos-linux-yum-installs-security-updates/

Install Plugin

Type the following command:
# yum install yum-security

How Do I Display Available Security Updates?

Type the following command:
# yum list-security
Sample Outputs:

Loaded plugins: rhnplugin, security
RHSA-2009:1148-1 security httpd-2.2.3-22.el5_3.2.x86_64
RHSA-2009:1148-1 security httpd-devel-2.2.3-22.el5_3.2.i386
RHSA-2009:1148-1 security httpd-manual-2.2.3-22.el5_3.2.x86_64
RHSA-2009:1148-1 security mod_ssl-1:2.2.3-22.el5_3.2.x86_64
list-security done

To list all updates that are security relevant, and get a reutrn code on whether there are security updates use:
# yum --security check-update
To get a list of all BZs that are fixed for packages you have installed use:
# yum list-security bugzillas
To get the information on advisory RHSA-2009:1148-1 use:
# yum info-security RHSA-2009:1148-1
Sample Outputs:

Loaded plugins: rhnplugin, security

===============================================================================
  RHSA-2009:1148
===============================================================================
  Update ID : RHSA-2009:1148-1
    Release :
       Type : security
     Status : final
     Issued : 2009-07-08 23:00:00
       Bugs : 509125 - None
	    : 509375 - None
       CVEs : CVE-2009-1890
	    : CVE-2009-1891
Description : Important: httpd security update  \The Apache HTTP Server is a
            : popular Web server.  A denial of service flaw was
            : found in the Apache mod_proxy module when it was
            : used as a reverse proxy. A remote attacker could
            : use this flaw to force a proxy process to consume
            : large amounts of CPU time. (CVE-2009-1890)  A
            : denial of service flaw was found in the Apache
            : mod_deflate module. This module continued to
            : compress large files until compression was
            : complete, even if the network connection that
            : requested the content was closed before
            : compression completed. This would cause
            : mod_deflate to consume large amounts of CPU if
            : mod_deflate was enabled for a large file.
            : (CVE-2009-1891)  All httpd users should upgrade to
            : these updated packages, which contain backported
            : patches to correct these issues. After installing
            : the updated packages, the httpd daemon must be
            : restarted for the update to take effect.
      Files : mod_ssl-2.2.3-22.el5_3.2.x86_64.rpm
	    : httpd-devel-2.2.3-22.el5_3.2.i386.rpm
	    : httpd-2.2.3-22.el5_3.2.x86_64.rpm
	    : httpd-devel-2.2.3-22.el5_3.2.x86_64.rpm
	    : httpd-manual-2.2.3-22.el5_3.2.x86_64.rpm
	    : mod_ssl-2.2.3-22.el5_3.2.i386.rpm
	    : httpd-2.2.3-22.el5_3.2.i386.rpm
	    : httpd-manual-2.2.3-22.el5_3.2.i386.rpm
info-security done

Ref:http://www.cyberciti.biz/faq/redhat-fedora-centos-linux-yum-installs-security-updates/

To get an info list of the latest packages which contain fixes for Bugzilla 3595; CVE # CVE-2009-1890 and advisories RHSA-2009:1148-1, use:
# yum --bz 3595 --cve CVE-2009-1890 --advisory RHSA-2009:1148-1 info updates

How Do I Install All The Security Updates Only?

Type the following command to download and install all the available security updates:
# yum update --security