Thursday, April 10, 2014

Heartbleed may compromise thousands of web sites.

You know a security vulnerability is serious when I start talking about it. Yesterday morning the story of a serious encryption flaw called Heartbleed  exists in OpenSSL, the most widely deployed encryption code on the Internet. It is used in everything from web servers, email servers, instant messaging, VPN's, and more.
heart
When you establish an encrypted connection to a website, be it Google, Facebook or your bank’s online branch, the data is encrypted using the SSL/TLS protocol. Many popular web servers utilize the open-source OpenSSL library to do this job for them. Earlier this week, the maintainers of OpenSSL released a fix for a serious bug in the implementation of TLS feature called “Heartbeat,” which could potentially reveal up to 64 kB of server memory to an attacker.
In other words, the flaw could have enabled anyone on the Internet to read the memory of a machine that’s protected by a vulnerable version of the library. In the worst-case scenario, this small block of memory may contain something sensitive – user names, passwords, or even the private key which is used by the server to keep your connection encrypted. In addition, exploiting Heartbleed leaves no traces, so there is no definite way to tell if a server was hacked and what kind of data was stolen.
Here’s the good news: OpenSSL fixed the bug. Here’s the bad news: there is no way to guarantee that those sites and services affected by Heartbleed are implementing the patch that mitigates it. More bad news: apparently the bug is pretty easy to exploit and may have existed for as long as two years. It means that the security certificates of many popular sites may have been stolen, as well as sensitive user data, including passwords.

The action plan for the user

  • Check if your favorite site was vulnerable. There are online tools to check the presence of the vulnerability, but you also need to know, if it was present before. Luckily, there is a long list of popular websites that were checked against the vulnerability. Good news: Facebook and Google are unaffected. Bad news: Yahoo, Flickr, Duckduckgo, LastPass, Redtube, OkCupid, Hidemyass, 500px and many others was vulnerable. Get ready to act if you have an account on those vulnerable sites;
  • Check if the site is vulnerable now. There is a simple tool for that.
  • When site owners fix the bug, they must consider re-issuing site certificates as well. So get ready to monitor server certificate and make sure you’re using a new one (issued on April 8th or later). To do this, enable the certificate revocation check in your browser.  Here is the sample from Google Chrome settings:
heartbleed2
  • This will prevent your browser from using old certificates. To check the certificate issue date manually, click the green lock in the address bar and click the “information” link on the “Connection” tab:
heartbleed3
  • The most important step – when the server is patched and certificate is updated, is to change your password immediately. Use this opportunity to revise your password policy and start using simple to remember yet strong passwords. 

Wednesday, April 9, 2014

Heartbleed Bug: serious OpenSSL vulnerability

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected by the SSL encryption used to secure the Internet. SSL provides security and privacy for applications such as web, email, instant messaging (IM) and virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the user names and passwords, instant messages, emails and business critical documents and communication protected by the vulnerable versions of the OpenSSL software. It compromises the secret keys used to identify the service providers and to encrypt the traffic. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

I have been compiling code for over 15 years. If you have servers or applications that use the SSLEAY libraries, your app is vulnerable. Call me at (831) 531-4107. I CAN HELP YOU FIX THIS.

http://jamesdillon-developer.blogspot.com/2014/04/heartbleed-bug-vulnerable-openssl-cve.html

Tuesday, November 12, 2013

Nagios is the shiznit..

Nagios is a powerful monitoring system that enables organizations
to identify and resolve IT infrastructure problems before they affect
critical business processes.
Nagios gives you the peace of mind that comes from knowing your 
organization's business processes won't be affected by unknown outages.

Nagios is a powerful tool that provides you with:
instant awareness of your organization'smission-critical IT infrastructure.
Nagios allows you to detect and repair problems and mitigate future issues
before they affect end-users and customers.
What Nagios Provides:
By using Nagios, you can:
Plan for infrastructure upgrades before outdated systems cause failures
Respond to issues at the first sign of a problem
Automatically fix problems when they are detected
Coordinate technical team responses
Ensure your organization's SLAs are being met
Ensure IT infrastructure outages have a minimal effect on your organization's bottom line
Monitor your entire infrastructure and business processes

How It Works
Monitoring

IT staff configure Nagios to monitor critical IT infrastructure components,
 including system metrics, network protocols, applications, services, servers,
and network infrastructure.

Alerting
Nagios sends alerts when critical infrastructure components fail and recover,
 providing administrators with notice of important events. Alerts can be 
delivered via email, SMS, or custom script.

Response
IT staff can acknowledge alerts and begin resolving outages and
 investigating security alerts immediately. Alerts can be escalated 
to different groups if alerts are not acknowledged in a timely manner.

Reporting
Reports provide a historical record of outages, events, notifications, 
and alert response for later review. Availability reports help ensure 
your SLAs are being met.

Maintenance
Scheduled downtime prevents alerts during scheduled maintenance 
and upgrade windows.

Monday, December 26, 2011

Rasberry Pi anyone??

This thing is a game changer for the PC Industry. A single board computer for general purpose applications, due out next month. It is the size of a credit card, has tons of applications, and has unmistakable geek cred. This will run off of AA batteries or 5 volt wall wart. Has HDMI video, audio, USB, SD card slot, and Ethernet. Cost 35 bucks. Boots in about 25 seconds. Read more here: http://www.raspberrypi.org/



Ultra low power and very compact, the Raspberry Pi is expected to ship next month, and has a wide range of applications, including media server, Linux desktop, applications development, router/firewall, and multi- blade servers. This little guy could change the world. Manufacter web site is here:http://www.raspberrypi.org/

Sunday, April 11, 2010

ClearOS

ClearOS is a powerful network and gateway server designed for small organizations and distributed environments.  Though ClearOS comes with an extensive list of features  and integrated services (see sidebar), the solution is easy to configure thanks to the intuitive web-based interface.
 Webconfig - web-based administration tool screenshot

The open source revolution in the software industry has made it possible to provide ClearOS at no cost.  Among other features, antivirus, antispam, VPN and content filtering are built right into the software -- no need for expensive third party add-ons. With ClearOS, you can avoid costly vendor lock-in and proprietary formats; instead, you can embrace open standards and protocols.

Along with online documentation, you will find an active community ready to help find your way.  Open source is great, but where do you go for help with installation, support, consulting and professional services?  Let me introduce you to ClearCenter.  Not only will you find 24x7 ClearCARE support from ClearCenter, but also a growing army of ClearCenter partners to help with installation, onsite support, professional services and that all important ongoing maintenance.

  • Integrated LDAP for User and Group Management
  • User Security Certificate Manager

  • Multi-WAN
  • VPN - PPTP, IPsec, OpenVPN
  • DMZ and 1-to-1 NAT
  • Stateful Firewall
  • Local DHCP and DNS Servers

  • Antimalware - Antivirus, Antiphishing, Antispyware
  • Antispam
  • Bandwidth Management
  • Intrusion Protection, Intrusion Prevention, Intrusion Detection
  • Protocol Filtering including Peer-to-Peer Detection
  • Content Filter
  • Web Proxy
  • Access Control

  • Windows Networking with PDC Support
  • File and Print Services
  • Flexshares
  • Groupware with Outlook Connector
  • Mail Server - POP, IMAP, SMTP, Webmail, Retrieval
  • Mail Filtering - Antispam, Antimalware, Greylisting, Quarantine
  • Mail Archiving
  • Database with MySQL
  • Web Server with PHP Support
 

Tuesday, December 22, 2009

Using VirtualBox to install Microsoft Exchange 2003

Using VirtualBox to install Microsoft Exchange 2003



I install two servers running Windows 2003 R2. I download the .ISO image and will boot from that.
I have installed VirtualBox from Sun and created the first Windows 2003 server here. I call it 2K3srv. Setting here are fine for now .
Update using Windows update. I give it a static IP address of 10.0.2.5.
After that I created a domain controller by adding DNS, DHCP, and Active Directory.  Just use the Manage your server wizard.



Installed the second virtual machine (Exch2K3) and ran Windows Update. I gave it a static IP of 10.0.2.6.
I installed a second NIC on each VM so they could see each other. (This is the same with clusters BTW.)
Win2K3 is as follows: IP 10.0.1.1 SN 255.255.255.0 GW 10.0.2.2 DNS 127.0.0.1 2ed DNS 68.94.156.1
Exchange2K3 IP is:  IP 10.0.1.2 SN 255.255.255.0 GW 10.0.2.2 DNS 10.0.1.1 2ed DNS 68.94.156.1
So now the VM’s can ping each other and browse via My Network Places.
Join the second machine to the domain.  My domain name is stardotcafe.com.
On the second machine which will become your Exchange server install the prerequisites for Exchange.

Open Add/Remove Programs control panel
Click Add/Remove Windows Components
Select Application Server and click Details
Click ASP.NET



Double Click Internet Information Services (IIS)
Scroll down and check the box next to NNTP and SMTP


Click OK twice and then click Next. When prompted insert the CDs as requested
Once the install is complete click Finish and close the Add/Remove programs control panel
Exchange install - Forest and Domain Prep
Next insert (mount) the Exchange 2003 CD ISO image



Click Exit on the first page
Once you have the latest Exdelpoy.exe from MS run it. Enter the location to save the files and click "OK"
Next locate and double click the exdeploy.hta file
You are now at the first page of the Exchange deployment tools



Click "Deploy the first Exchange server"
Click "New Exchange 2003 Installation"


The first three steps are all about ensuring the prerequisites are met. Select the checkboxes by steps 1 and 2 as these have already been covered.
Select the checkboxes by steps 1 and 2 as these have already been covered.
For step three ensure the support tools are installed.
Click the box by step three




To perform step four open a CMD prompt (Start, Run, type "CMD", Press "Enter")
In the CMD prompt window type the command below and press enter:
dcdiag /f:c:\dcdiaglog.txt /s:domaincontrollername.domain.com
(for me is was C:\Program Files\Support Tools>dcdiag /f:c:\dcdiaglog.txt /s:Win2K3.stardotcafe.com)
This will output the results to a text file in the C: called dcdiaglog.txt. Open the file and ensure there are no errors.

You should see output like the following:
 C:\Program Files\Support Tools>dcdiag /f:c:\dcdiaglog.txt /s:Win2K3.stardotcafe.com

Domain Controller Diagnosis
Performing initial setup:
   Done gathering initial info.

Doing initial required tests
 
   Testing server: Default-First-Site\WIN2K3
      Starting test: Connectivity
         ......................... WIN2K3 passed test Connectivity

Doing primary tests
 
   Testing server: Default-First-Site\WIN2K3
      Starting test: Replications
         ......................... WIN2K3 passed test Replications
      Starting test: NCSecDesc
         ......................... WIN2K3 passed test NCSecDesc
      Starting test: NetLogons
         ......................... WIN2K3 passed test NetLogons
      Starting test: Advertising
         ......................... WIN2K3 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... WIN2K3 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... WIN2K3 passed test RidManager
      Starting test: MachineAccount
         ......................... WIN2K3 passed test MachineAccount
      Starting test: Services
         ......................... WIN2K3 passed test Services
      Starting test: ObjectsReplicated
         ......................... WIN2K3 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... WIN2K3 passed test frssysvol
      Starting test: frsevent
         ......................... WIN2K3 passed test frsevent
      Starting test: kccevent
         ......................... WIN2K3 passed test kccevent
      Starting test: systemlog
         ......................... WIN2K3 passed test systemlog
      Starting test: VerifyReferences
         ......................... WIN2K3 passed test VerifyReferences
 
   Running partition tests on : TAPI3Directory
      Starting test: CrossRefValidation
         ......................... TAPI3Directory passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... TAPI3Directory passed test CheckSDRefDom
 
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
 
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
 
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
 
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
 
   Running partition tests on : stardotcafe
      Starting test: CrossRefValidation
         ......................... stardotcafe passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... stardotcafe passed test CheckSDRefDom
 
   Running enterprise tests on : stardotcafe.com
      Starting test: Intersite
         ......................... stardotcafe.com passed test Intersite
      Starting test: FsmoCheck
         ......................... stardotcafe.com passed test FsmoCheck


So long as you have no errors move back to the deployment tools and check the 4th box.


Next move back to the command prompt and enter the command below and press enter:

Netdiag >c:\netdiaglog.txt

The command will take a short while to execute. Once complete view the log file in the C:




....................................

    Computer Name: EXCH2K3
    DNS Host Name: exch2k3.stardotcafe.com
    System info : Microsoft Windows Server 2003 R2 (Build 3790)
    Processor : x86 Family 6 Model 15 Stepping 6, GenuineIntel
    List of installed hotfixes :
        KB923561
        KB924667-v2
        KB925398_WMP64
        KB925902-v2
        KB926122
        KB927891
        KB929123
        KB930178
        KB932168
        KB933854
        KB936357
        KB938127
        KB941569
        KB942830
        KB942831
        KB943055
        KB943460
        KB944338-v2
        KB944653
        KB945553
        KB946026
        KB948496
        KB950762
        KB950974
        KB951066
        KB951748
        KB952004
        KB952069
        KB952954
        KB953298
        KB954155
        KB955069
        KB955759
        KB956572
        KB956802
        KB956803
        KB956844
        KB957097
        KB958469
        KB958644
        KB958687
        KB958869
        KB959426
        KB960225
        KB960803
        KB960859
        KB961371-v2
        KB961501
        KB967715
        KB967723
        KB968389
        KB968816
        KB969059
        KB969947
        KB970238
        KB970430
        KB970483
        KB971032
        KB971486
        KB971557
        KB971633
        KB971657
        KB971737
        KB971961
        KB971961-IE8
        KB973354
        KB973507
        KB973525
        KB973540
        KB973687
        KB973815
        KB973869
        KB973904
        KB973917
        KB974112
        KB974318
        KB974392
        KB974571
        KB975025
        KB975364-IE8
        KB975467
        KB976098-v2
        KB976325
        KB976325-IE8
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection 2

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : exch2k3
        IP Address . . . . . . . . : 10.0.1.2
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 10.0.2.2
        Dns Servers. . . . . . . . : 10.0.1.1
                                     68.94.156.1

        IpConfig results . . . . . : Failed

            [WARNING] Your default gateway is not on the same subnet as your IP address.

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : exch2k3
        IP Address . . . . . . . . : 10.0.2.6
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 10.0.2.2
        Dns Servers. . . . . . . . : 10.0.2.5
                                     68.94.156.1


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{B44011CE-955E-4EBF-A3F6-48165D15F773}
        NetBT_Tcpip_{BA88752D-970E-4FF3-9575-B48C4983D17F}
    2 NetBt transports currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{B44011CE-955E-4EBF-A3F6-48165D15F773}
        NetBT_Tcpip_{BA88752D-970E-4FF3-9575-B48C4983D17F}
    The redir is bound to 2 NetBt transports.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{BA88752D-970E-4FF3-9575-B48C4983D17F}
        NetBT_Tcpip_{B44011CE-955E-4EBF-A3F6-48165D15F773}
    The browser is bound to 2 NetBt transports.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
    Secure channel for domain 'STARDOTCAFE' is to '\\win2k3.stardotcafe.com'.


Kerberos test. . . . . . . . . . . : Skipped


LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] You are logged on as a local user. (EXCH2K3\Administrator)
        Cannot test NTLM Authentication to 'win2k3.stardotcafe.com'.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

The text file should like the above output. You should get no errors. (I have errors for Default gateway because this is an isolated test system)


So long as you have no errors move back to the deployment tools and check the 5th box.

The next step is to run Forest prep. This must be run by a user with Schema administrator permissions. Forest Prep will extend the AD Schema with the new classes and attributes that Exchange 2003 requires to operate.
To proceed enter the path to the install CD in the box provided and click "Run ForestPrep now"
If prompted about an incompatibility then select the checkbox to ignore the warning in the future and click “Continue”
The Warning occurs because Exchange 2003 RTM needs upgrading to SP2 which we will install later.
Once the install opens click “Next”
Agree to the license and click “Next”

Note that only ForestPrep will be performed and that files will go in the default location C:\Program Files\Exchsrvr (this can be changed if required to place files on an Application drive)
Click “Next”

Select the account to be the first Exchange Full Administrator. The default is the account you are logged in as. If you are only logging in as a special schema admin account then you should select an account that will be used to admin Exchange. I will leave the default in place of Administrator.

Click “Next”
ForestPrep is a fairly slow process that could take around 30mins on a slow network. You will see several screens like the one below
Once the process is complete click Finish
Next move back to the deployment tools and check the box on the 6th step
Now move onto the Domain Prep. This will need to be performed in the root domain and any others which will hold Exchange mailboxes. Personally it is simplest to run it in all domains in the forest.
In a simple single domain forest proceed as follows:
Enter the path to the Install files where requested and click “Run DomainPrep now”.
On the welcome page click “Next”
Accept the licence and click “Next”
Again note that only DomainPrep will be carried out and that you can change the file location if you want (Only change it if you changed the location for ForestPrep too)
Click “Next”
Early in the process you will likely be warned that your domain is insecure for mail-enabled groups with hidden DL membership. Anyone in the Pre-Windows 2000 Compatible Access group can view this membership. So long as you are not using the group for a valid reason remove the default membership of Authenticated users to remove the problem.
Click "OK"
The DomainPrep is quick and shows the screen below whilst running
Once complete click Finish
Move back to the deployment tools and check the box of the 7th step.
You are now finally ready to install Exchange.
Move onto step 8. Again enter the path to the install files and click “Run Setup Now”
On the welcome page click “Next”
Accept the licence and click “Next”
This time check the install options carefully. You can choose which components to install. Generally the defaults are fine and that is what we shall stick with. Note also, that you can change the file location. Again you should do this if you changed the location for forest and domain prep.
Once you are happy with your selections, click “Next"
As there is no Exchange org setup currently select to create one and click “Next”
Name the org and click “Next”
Agree to the licence and click “Next”
Verify your choices and click “Next”
The installation will progress
When complete click Finish
Now return to the deployment tools and check the box next to step 8.
Click “Next” on the deployment tools bottom right hand corner
The next page runs through the steps again for other Exchange servers.
For now we will not install another server so again click “Next” on the deployment tools bottom right hand corner.
Congratulations you have just installed Exchange!

SysAdmin Headlines

Loading...

Linux Jobs