Thursday, April 10, 2014

Heartbleed test the server for CVE-2014-0160

Use the  below  link to find  if your server is vulnerable to Heartbleed.

Link

Products based advisory.

Cisco

F5

Fix For Ubuntu
 
Read About this Bug

 Link

Monday, March 31, 2014

Encrypting Cookies through F5 using iRules

Encrypting Cookies through F5  using iRules

Referenced from https://devcentral.f5.com/wiki/irules.EncryptingCookies.ashx 

when CLIENT_ACCEPTED {
   # Define an AES encryption key. Valid key lengths are 128, 192, or 256 bits. 
   # You can use a key generator, or create your own using only HEX characters.
   set aes_key "AES 128 63544a5e7178677b45366b41405f2dab"

   # Name of the cookie to encrypt/decrypt
   set cookie"myCookie"

   # Log debug messages to /var/log/ltm?  1=yes, 0=no.
   set cookie_encryption_debug 0
}

when HTTP_RESPONSE {

   # Check if response contains an error cookie with a value
   if {[string length [HTTP::cookie value $cookie]] > 0}{

      # Log the original error cookie value from the app
      if {$cookie_encryption_debug}{log local0. \
         "Response from app contained our cookie: [HTTP::cookie value $cookie]"}

      # Encrypt the cookie value so the client can't change the value
      HTTP::cookie value $cookie [URI::encode [AES::encrypt $aes_key [HTTP::cookie value $cookie]]]

      # Log the encoded and encrypted error cookie value
      if {$cookie_encryption_debug}{log local0. \
        "Encrypted error cookie to: [URI::encode [AES::encrypt $aes_key [HTTP::cookie value $cookie]]]"}
   }
}

when HTTP_REQUEST {
   # If the error cookie exists with any value, for any requested object, try to decrypt it
   if {[string length [HTTP::cookie value $cookie]]}{

      if {$cookie_encryption_debug}{log local0. \
         "Original error cookie value: [HTTP::cookie value $cookie]"}

      # URI decode the value (catching any errors that occur when trying to 
      # decode the cookie value and save the output to cookie_uri_decoded)
      if {not ([catch {URI::decode [HTTP::cookie value $cookie]} cookie_uri_decoded])}{

         # Log that the cookie was URI decoded
         if {$cookie_encryption_debug}{log local0. "\$cookie_uri_decoded was set successfully"}

         # Decrypt the value
         if {not ([catch {AES::decrypt $aes_key $cookie_uri_decoded} cookie_decrypted])}{

            # Log the decrypted cookie value
            if {$cookie_encryption_debug}{log local0. "\$cookie_decrypted: $cookie_decrypted"}
         } else {

            # URI decoded value couldn't be decrypted.
         }
      } else {
         # Cookie value couldn't be URI decoded
      }
   } else {
      # Cookie wasn't present in the request
   }
}

Secure Web Application With httponly and Secure Using F5 iRule

Following will add HTTPOnly and Secure flag in Set-Cookie starting with the Cookie Name Provided.

Create a irule using the below  and attach to your Virtual Server

when HTTP_RESPONSE {
HTTP::cookie secure "CookieName" enable


   set ak [HTTP::header values "Set-Cookie"]
   HTTP::header remove "Set-Cookie"
   foreach acookie $ak {
      if {$acookie starts_with "CookieName"} {
         HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
      } else {
         HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
      }
       }
}

Friday, March 21, 2014

Account Login recording in Linux & Windows System with Zenoss

Recording the SSH Logins success and failure
For Linux Servers
Setting to be done on the Linux side
Edit the linux /etc/syslog.conf file and add the following line
authpriv.* @zenossserver ip or hostname
Restart the syslog daemon.
On the zenoss side make sure these things
1. The machine IP and Hostname should be correct so syslog logs are correctly inserted to the correct device.
2. You can define SSHD event component to be as critical so the current alert system will work OR.
3. You can create a new alert only for sshd reporting , See the below screenshot




This alert generates below alerts , we can also try only to send
On Authentication Success
a. session opened for user
b. Accepted password for root from port ssh
On Authentication Failure
a. Failed password for illegal user from port ssh
b. Illegal user from
On Session Logout
Session closed for  

For Windows Servers
 
All the servers where Wmi monitoring is enabled we just need to increase the zWinEventlogMinSeverity to 5 Which is by default 2.

Alerts Creation
For Successful Logins:
eventClassKey -- Security_552
For Failed Logins
eventClassKey -- Security_680

More details  for security code can be found here from technet.http://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx

Result looks like this
Device:
Component: Security
Severity: Info
Time: 2014/03/21 00:05:11.000
Message:
Logon attempt using explicit credentials:
Logged on user:
User Name: $
Domain: WORKGROUP or DOMAINNAME
Logon ID: (0x0,0x3E7)

Logon GUID: -

User whose credentials were used:

Target User Name:

Target Domain: System Name

Target Logon GUID: -


Target Server Name: localhost

Target Server Info: localhost

Caller Process ID: 5060

Source Network Address:

Source Port: 2211

Thursday, March 20, 2014

Hide tomcat Web Server Version Information



Hide tomcat Web Server Version Information

Replace the server version string from HTTP headers in server responses, by adding the server keyword in your Connectors in CATALINA_HOME/conf/server.xml


            server="Apache" /> 

Remove version string from HTTP error messages by repacking CATALINA_HOME/server/lib/catalina.jar with an updated ServerInfo.properties file.

Unpack catalina.jar

cd CATALINA_HOME/server/lib
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties

Update ServerInfo.properties by changing server.info line to server.info=Apache Tomcat

Repackage catalina.jar

jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties

Remove CATALINA_HOME/server/lib/org (created when extracting the ServerInfo.properties file)

Restart the tomcat server.

Wednesday, March 19, 2014

Hide Apache Information from Intruders



Hide Apache Information

To hide the information, add the following two apache directives in Apache Configuration file httpd.conf

ServerTokens ProductOnly
ServerSignature Off

Now you need to restart your web server using the following command

#/etc/init.d/httpd  restart

Now the output for apache header looks like below
# Curl -I  http://localhost
Server: Apache

Thursday, March 13, 2014

GUI for NetApp Support Tools

The GUI for NetApp Support Tools is a Windows GUI that helps execute some of the important NetApp support tools.


Download Here