Use the below link to find if your server is vulnerable to Heartbleed.
Link
Products based advisory.
Cisco
F5
Fix For Ubuntu
Read About this Bug
Link
Thursday, April 10, 2014
Monday, March 31, 2014
Encrypting Cookies through F5 using iRules
Encrypting Cookies through F5 using iRules
Referenced from https://devcentral.f5.com/wiki/irules.EncryptingCookies.ashx
when CLIENT_ACCEPTED {
# Define an AES encryption key. Valid key lengths are 128, 192, or 256 bits.
# You can use a key generator, or create your own using only HEX characters.
set aes_key "AES 128 63544a5e7178677b45366b41405f2dab"
# Name of the cookie to encrypt/decrypt
set cookie"myCookie"
# Log debug messages to /var/log/ltm? 1=yes, 0=no.
set cookie_encryption_debug 0
}
when HTTP_RESPONSE {
# Check if response contains an error cookie with a value
if {[string length [HTTP::cookie value $cookie]] > 0}{
# Log the original error cookie value from the app
if {$cookie_encryption_debug}{log local0. \
"Response from app contained our cookie: [HTTP::cookie value $cookie]"}
# Encrypt the cookie value so the client can't change the value
HTTP::cookie value $cookie [URI::encode [AES::encrypt $aes_key [HTTP::cookie value $cookie]]]
# Log the encoded and encrypted error cookie value
if {$cookie_encryption_debug}{log local0. \
"Encrypted error cookie to: [URI::encode [AES::encrypt $aes_key [HTTP::cookie value $cookie]]]"}
}
}
when HTTP_REQUEST {
# If the error cookie exists with any value, for any requested object, try to decrypt it
if {[string length [HTTP::cookie value $cookie]]}{
if {$cookie_encryption_debug}{log local0. \
"Original error cookie value: [HTTP::cookie value $cookie]"}
# URI decode the value (catching any errors that occur when trying to
# decode the cookie value and save the output to cookie_uri_decoded)
if {not ([catch {URI::decode [HTTP::cookie value $cookie]} cookie_uri_decoded])}{
# Log that the cookie was URI decoded
if {$cookie_encryption_debug}{log local0. "\$cookie_uri_decoded was set successfully"}
# Decrypt the value
if {not ([catch {AES::decrypt $aes_key $cookie_uri_decoded} cookie_decrypted])}{
# Log the decrypted cookie value
if {$cookie_encryption_debug}{log local0. "\$cookie_decrypted: $cookie_decrypted"}
} else {
# URI decoded value couldn't be decrypted.
}
} else {
# Cookie value couldn't be URI decoded
}
} else {
# Cookie wasn't present in the request
}
}
Secure Web Application With httponly and Secure Using F5 iRule
Following will add HTTPOnly and Secure flag in Set-Cookie starting with the Cookie Name Provided.
Create a irule using the below and attach to your Virtual Server
when HTTP_RESPONSE {
HTTP::cookie secure "CookieName" enable
set ak [HTTP::header values "Set-Cookie"]
HTTP::header remove "Set-Cookie"
foreach acookie $ak {
if {$acookie starts_with "CookieName"} {
HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
} else {
HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
}
}
}
Create a irule using the below and attach to your Virtual Server
when HTTP_RESPONSE {
HTTP::cookie secure "CookieName" enable
set ak [HTTP::header values "Set-Cookie"]
HTTP::header remove "Set-Cookie"
foreach acookie $ak {
if {$acookie starts_with "CookieName"} {
HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
} else {
HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
}
}
}
Friday, March 21, 2014
Account Login recording in Linux & Windows System with Zenoss
Recording the SSH Logins success and failure
For Linux Servers
Setting to be done on the Linux side
Edit the linux /etc/syslog.conf file and add the following line
authpriv.* @zenossserver ip or hostname
Restart the syslog daemon.
On the zenoss side make sure these things
1. The machine IP and Hostname should be correct so syslog logs are correctly inserted to the correct device.
2. You can define SSHD event component to be as critical so the current alert system will work OR.
3. You can create a new alert only for sshd reporting , See the below screenshot
This alert generates below alerts , we can also try only to send
On Authentication Success
a. session opened for user
b. Accepted password for root from port ssh
On Authentication Failure
a. Failed password for illegal userfrom port ssh
b. Illegal user from
On Session Logout
Session closed for
For Windows Servers
All the servers where Wmi monitoring is enabled we just need to increase the zWinEventlogMinSeverity to 5 Which is by default 2.
Alerts Creation
For Successful Logins:
eventClassKey -- Security_552
For Failed Logins
eventClassKey -- Security_680
More details for security code can be found here from technet.http://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx
Result looks like this
Device:
Component: Security
Severity: Info
Time: 2014/03/21 00:05:11.000
Message:
Logon attempt using explicit credentials:
Logged on user:
User Name:$
Domain: WORKGROUP or DOMAINNAME
Logon ID: (0x0,0x3E7)
Logon GUID: -
User whose credentials were used:
Target User Name:
Target Domain: System Name
Target Logon GUID: -
Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 5060
Source Network Address:
Source Port: 2211
For Linux Servers
Setting to be done on the Linux side
Edit the linux /etc/syslog.conf file and add the following line
authpriv.* @zenossserver ip or hostname
Restart the syslog daemon.
On the zenoss side make sure these things
1. The machine IP and Hostname should be correct so syslog logs are correctly inserted to the correct device.
2. You can define SSHD event component to be as critical so the current alert system will work OR.
3. You can create a new alert only for sshd reporting , See the below screenshot
This alert generates below alerts , we can also try only to send
On Authentication Success
a. session opened for user
b. Accepted password for root from
On Authentication Failure
a. Failed password for illegal user
b. Illegal user
On Session Logout
Session closed for
For Windows Servers
All the servers where Wmi monitoring is enabled we just need to increase the zWinEventlogMinSeverity to 5 Which is by default 2.
Alerts Creation
For Successful Logins:
eventClassKey -- Security_552
For Failed Logins
eventClassKey -- Security_680
More details for security code can be found here from technet.http://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx
Result looks like this
Device:
Component: Security
Severity: Info
Time: 2014/03/21 00:05:11.000
Message:
Logon attempt using explicit credentials:
Logged on user:
User Name:
Domain: WORKGROUP or DOMAINNAME
Logon ID: (0x0,0x3E7)
Logon GUID: -
User whose credentials were used:
Target User Name:
Target Domain: System Name
Target Logon GUID: -
Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 5060
Source Network Address:
Source Port: 2211
Thursday, March 20, 2014
Hide tomcat Web Server Version Information
Hide tomcat Web Server Version Information
Replace the server version string from HTTP headers in server responses, by adding the server keyword in your Connectors in CATALINA_HOME/conf/server.xml
server="Apache"
/>
Unpack catalina.jar
cd CATALINA_HOME/server/lib
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
Update ServerInfo.properties by changing server.info line to server.info=Apache Tomcat
Repackage catalina.jar
jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
Remove CATALINA_HOME/server/lib/org (created when extracting the ServerInfo.properties file)
Restart the tomcat server.
Wednesday, March 19, 2014
Hide Apache Information from Intruders
Hide Apache Information
To hide the information, add the following two apache directives in Apache Configuration file httpd.conf
ServerTokens ProductOnly
ServerSignature Off
Now you need to restart your web server using the following command
#/etc/init.d/httpd restart
Now the output for apache header looks like below
# Curl -I http://localhost
Server: Apache
Thursday, March 13, 2014
GUI for NetApp Support Tools
The GUI for NetApp Support Tools is a Windows GUI that helps execute some of the important NetApp support tools.
Download Here
Download Here
Subscribe to:
Posts (Atom)