iperf server

It's been a while since I last post. I've been busy designing and implementing our BGP routers and Core switches. Also, I've been studying for my CCNP and CISSP exams. (Whew!!).
Anyway, I just want to share the tool I used to test your network bandwidth (Internet, Site to site, etc.). I used iPerf in a linux box. It uses a client/server type of testing.

If you want an iPerf server to test your Internet link, send me your email so I can provide you the details...

Security Awareness 101

This is a good source of information for basic IT security awareness. It was used to educate people during APEC summit though it was old, the information is still relevant for today's technology.

http://aoema.org/SafetyNet/tabid/54/Default.aspx

How to start your Security Awareness Program?

I must say I'm still in the process of learning and practising IT Security but I know I got a good background in securing an environment as I worked on every aspect of Information Technology. In a usual IT environment, the company has Active directory for Identity and Access control, Firewall and router for Network Connectivity, Antivirus, Mail, Backup and File servers. Now how would you start your security program? You cannot just start mandating all your employees to do this and that. In able to have a successful security program, at least to start, is to have the Top executive back you up in the program. You must get their approval on why security is needed and how will the company benefit. The program should also align with the company's mission and vision statement. A program would be hard to implement if there is no budget allocated. In able to get the figures, you can start with Risk Assessment. This will give you an overall view on what your assets (Data, Information, Process, etc) are and which one needs to be secure. The assessment is a long process but it would be able to give you a figure on how much to secure the company's assets.

Now how would you direct the program to the end-user?. For me I started it by putting Posters at the common area. I printed on an A4 paper regarding how valuable a strong password are and how to create a strong and complex password.

Generating keystore

To generate keystore file, a tool called keytool by Java is used to generate certificates. Make sure to use the latest java release to use the latest security library.

Check Java version:

#java -version

Generating keystore:

keytool -genkey -alias -keyalg -keysize -keystore keystorefile

Example:

#keytool -genkey -alias myalias -keyalg RSA -keysize 2048 -keystore mykeystore.

Note: it will ask for the password to the keystore and alias. It can be the same.

Generate CSR:

keytool -certreq -alias -keystore -file

Example:

#keytool -certreq -alias myalias -keystore mykeystore -file mycsr.csr.

Note: it will prompt you for the keystore password specified above procedure.

Send the CSR to Public CA like TPP Internet, Thawte, etc. . After sending the file, download the corresponding CRT file for the domain created.

Importing CRT:

#keytool -import -trustcacerts -alias -file -keystore

Example:

keytool -import -trustcacerts -alias myalias -file certfromca.crt -keystore mykeystore

Redhat - Reduce size of root file system

The default file system layout from the Red Hat Enterprise Linux 5 installation process includes a special space for /boot and swap space then gives all left space to one logical volume and used the logical volume as root / volume.

Integrating all data files and system files in one file system is not always an ideal choice for production systems. If the system cannot be reinstalled, it is possible to reduce the size of the root file system and the logical volume on which it resides.

Reducing the logical volume on the root / volume must be done in rescue mode.

First, boot the system from Red Hat Enterprise Linux 5 Disc 1, and at the prompt, type linux rescue and press enter. When prompted for language, and keyboard, provide the pertinent information for the system. When prompted to enable the network devices on the system, select "No." Finally, select "Skip" when prompted to allow the rescue environment to mount Red Hat Enterprise Linux installation under the /mnt/sysimage directory. The filesystems MUST NOT be mounted to carry out the following steps.

Next run following commands to scan all disks LVM2 volume groups:

# lvm.static vgscan

Next, activate the logical volume to reduce. In this example, /dev/VolGroup00/LogVol00 was made available with the following command:

 # lvm.static lvchange -ay /dev/VolGroup00/LogVol00  

Next, reduce the size of file system and logical volume on /dev/VolGroup00/LogVol00. Please make sure there is enough space left on the root / file system and that the logical volume is large enough to contain all the data that was previously present. If the file system is at close to being full, for example, this may not work. Before resizing file system, run e2fsck to check file system first.

 # e2fsck -f /dev/VolGroup00/LogVol00 # resize2fs /dev/VolGroup00/LogVol00 3000M # lvm.static lvreduce -L 3000M /dev/VolGroup00/LogVol00  

Please note that this is done on /dev/VolGroup00/LogVol00. The number at the end is the final size of the file system, not the amount it is reduced by.

Finally, verify the modification then reboot the system.

 # lvm.static vgdisplay VolGroup00 # exit  

Mobile Device Management & Wireless Expense Management | MobileIron

People nowadays are using their mobile phone to access their corporate emails but the concern is how they could provide security for both end-user as well as the company.

Now the company can put into their own infrastructure or hosted one to provide this kinda of security. The product is called MobileIron.

Mobile Device Management & Wireless Expense Management | MobileIron

The company based in Sydney Australia called ManageNET can provide this kinda of service. link: http://www.managenet.com.au/solutions/mobile_device_management

Manual: CIS benchmark tests

This is a great tool to use if you want to benchmark your Linux box prior to deployment or audit the system against CIS Security benchmarks. Aside from this rootcheck, OSSEC can provide a server-client setup to run the file system integrity check (or other HIDS) to comply with PCI Compliance.

Reference: Manual: CIS benchmark tests

Manual: CIS benchmark tests

We just included support in the OSSEC Policy monitor to audit if a system is in compliance with the CIS Security Benchmarks (as of right now, only RHEL2-5, Fedora 1-5 and Debian/Ubuntu are supported - the other versions will be soon).

If you want to try it out manually and provide some feedback to us, please follow the instructions bellow to test:

First, grab the latest CVS snapshot and compile it (it will be included on v1.6 and above):

# wget http://www.ossec.net/files/snapshots/ossec-hids-080710.tar.gz
# tar -zxvf ossec-hids-080710.tar.gz
# cd ossec-hids-080710/src/
# make clean
# make libs
# cd rootcheck
# make binary

The binary ossec-rootcheck will be created on the current directory and we can start using it. A simple scan on my Ubuntu box looked like this: (note, that it will do all the normal rootcheck tests plus the CIS scans — just grep for CIS if you don’t want to see the rest):

# ./ossec-rootcheck
..

[INFO]: System Audit: CIS - Testing against the CIS Debian Linux Benchmark v1.0. File: /proc/sys/kernel/ostype. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /var is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 2.3 - SSH Configuration - Root login allowed. File: /etc/ssh/sshd_config. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 2.4 - System Accounting - Sysstat not enabled. File: /etc/default/sysstat. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 4.18 - Disable standard boot services - Squid Enabled. File: /etc/init.d/squid. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition /media without ‘nodev’ set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition /media without ‘nosuid’ set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 7.3 - User-mounted removable partition /media. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 8.8 - GRUB Password not set. File: /boot/grub/menu.lst. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

..