SARG INSTALLATION ON UBUNTU 12

April 3, 2013, 2:34 am

≫ Next: HOW TO SHUTDOWN AND RESTART LINUX

≪ Previous: MYSQL PROCESSESS LISTING AND KILL

SARG INSTALLATION AND CONFIGURATION ON UBUNTU 12

NOTE: web server is required to view reports.

apt-get install apache2

apt-get install sarg

nano /etc/sarg/sarg.conf

root@raabtaproxy:/etc/sarg# cat sarg.conf

# sarg.conf

# TAG: access_log file

# Where is the access.log file

# sarg -l file

access_log /var/log/squid3/access.log

# TAG: graphs yes|no

# Use graphics where is possible.

graphs yes

graph_days_bytes_bar_color orange

# TAG: graph_font

# The full path to the TTF font file to use to create the graphs. It is required

# if graphs is set to yes.

#graph_font /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf

# TAG: title

# Especify the title for html page.

title "Raabta Proxy User Access Reports"

# TAG: font_face

# Especify the font for html page.

font_face Tahoma,Verdana,Arial

# TAG: header_color

# Especify the header color

header_color darkblue

# TAG: header_bgcolor

# Especify the header bgcolor

header_bgcolor blanchedalmond

# TAG: font_size

# Especify the text font size

font_size 9px

# TAG: header_font_size

# Especify the header font size

#header_font_size 9px

# TAG: title_font_size

# Especify the title font size

#title_font_size 11px

# TAG: background_color

# Html page background color

background_color white

# TAG: text_color

# Html page text color

text_color #000000

# TAG: text_bgcolor

# Html page text background color

text_bgcolor lavender

# TAG: title_color

# Html page title color

title_color green

# TAG: logo_image

# Html page logo.

#logo_image none

# TAG: logo_text

# Html page logo text.

#logo_text ""

# TAG: logo_text_color

# Html page logo texti color.

#logo_text_color #000000

# TAG: logo_image_size

# Html page logo image size.

# width height

#image_size 80 45

# TAG: background_image

# Html page background image

#background_image none

# TAG: password

# User password file used by Squid authentication scheme

# If used, generate reports just for that users.

#password none

# TAG: temporary_dir

# Temporary directory name for work files

# sarg -w dir

temporary_dir /tmp

# TAG: output_dir

# The reports will be saved in that directory

# sarg -o dir

#output_dir /var/www/html/squid-reports

output_dir /var/www/squid-reports

# TAG: output_email

# Email address to send the reports. If you use this tag, no html reports will be generated.

# sarg -e email

#output_email none

# TAG: resolve_ip yes/no

# Convert ip address to dns name

# sarg -n

resolve_ip yes

# TAG: user_ip yes/no

# Use Ip Address instead userid in reports.

# sarg -p

user_ip no

# TAG: topuser_sort_field field normal/reverse

# Sort field for the Topuser Report.

# Allowed fields: USER CONNECT BYTES TIME

topuser_sort_field BYTES reverse

# TAG: user_sort_field field normal/reverse

# Sort field for the User Report.

# Allowed fields: SITE CONNECT BYTES TIME

user_sort_field BYTES reverse

# TAG: exclude_users file

# users within the file will be excluded from reports.

# you can use indexonly to have only index.html file.

exclude_users /etc/sarg/exclude_users

# TAG: exclude_hosts file

# Hosts, domains or subnets will be excluded from reports.

# Eg.: 192.168.10.10 - exclude ip address only

# 192.168.10.0/24 - exclude full C class

# s1.acme.foo - exclude hostname only

# *.acme.foo - exclude full domain name

exclude_hosts /etc/sarg/exclude_hosts

# TAG: useragent_log file

# useragent.log file patch to generate useragent report.

#useragent_log none

# TAG: date_format

# Date format in reports: e (European=dd/mm/yy), u (American=mm/dd/yy), w (Weekly=yy.ww)

date_format u

# TAG: per_user_limit file MB

# Saves userid on file if download exceed n MB.

# This option allow you to disable user access if user exceed a download limit.

#per_user_limit none

# TAG: lastlog n

# How many reports files must be keept in reports directory.

# The oldest report file will be automatically removed.

# 0 - no limit.

lastlog 0

# TAG: remove_temp_files yes

# Remove temporary files: geral, usuarios, top, periodo from root report directory.

remove_temp_files yes

# TAG: index yes|no|only

# Generate the main index.html.

# only - generate only the main index.html

index yes

# TAG: index_tree date|file

# How to generate the index.

index_tree file

# TAG: overwrite_report yes|no

# yes - if report date already exist then will be overwrited.

# no - if report date already exist then will be renamed to filename.n, filename.n+1

overwrite_report no

# TAG: records_without_userid ignore|ip|everybody

# What can I do with records without user id (no authentication) in access.log file ?

# ignore - This record will be ignored.

# ip - Use ip address instead. (default)

# everybody - Use "everybody" instead.

records_without_userid ip

# TAG: use_comma no|yes

# Use comma instead point in reports.

# Eg.: use_comma yes => 23,450,110

# use_comma no => 23.450.110

use_comma yes

# TAG: mail_utility mail|mailx

# Mail command to use to send reports via SMTP

mail_utility mailx

# TAG: topsites_num n

# How many sites in topsites report.

topsites_num 100

# TAG: topsites_sort_order CONNECT|BYTES A|D

# Sort for topsites report, where A=Ascendent, D=Descendent

topsites_sort_order CONNECT D

# TAG: index_sort_order A/D

# Sort for index.html, where A=Ascendent, D=Descendent

index_sort_order D

# TAG: exclude_codes file

# Ignore records with these codes. Eg.: NONE/400

# Write one code per line. Lines starting with a # are ignored.

# Only codes matching exactly one of the line is rejected. The

# comparison is not case sensitive.

exclude_codes /etc/sarg/exclude_codes

# TAG: replace_index string

# Replace "index.html" in the main index file with this string

# If null "index.html" is used

#replace_index <?php echo str_replace(".", "_", $REMOTE_ADDR); echo ".html"; ?>

# TAG: max_elapsed milliseconds

# If elapsed time is recorded in log is greater than max_elapsed use 0 for elapsed time.

# Use 0 for no checking

max_elapsed 28800000

# 8 Hours

# TAG: report_type type

# What kind of reports to generate.

# topusers - users, sites, times, bytes, connects, links to accessed sites, etc

# topsites - site, connect and bytes report

# sites_users - users and sites report

# users_sites - accessed sites by the user report

# date_time - bytes used per day and hour report

# denied - denied sites with full URL report

# auth_failures - autentication failures report

# site_user_time_date - sites, dates, times and bytes report

# downloads - downloads per user report

# Eg.: report_type topsites denied

#report_type topusers topsites sites_users users_sites date_time denied auth_failures site_user_time_date downloads

report_type topusers topsites sites_users users_sites date_time denied auth_failures site_user_time_date downloads

# TAG: usertab filename

# You can change the "userid" or the "ip address" to be a real user name on the reports.

# If resolve_ip is active, the ip address is resolved before being looked up into this

# file. That is, if you want to map the ip address, be sure to set resolv_ip to no or

# the resolved name will be looked into the file instead of the ip address. Note that

# it can be used to resolve any ip address known to the dns and then map the unresolved

# ip addresses to a name found in the usertab file.

# Table syntax:

# userid name or ip address name

# Eg:

# SirIsaac Isaac Newton

# vinci Leonardo da Vinci

# 192.168.10.1 Karol Wojtyla

# Each line must be terminated with '\n'

# If usertab have value "ldap" (case ignoring), user names

# will be taken from LDAP server. This method as approaches for reception

# of usernames from Active Didectory

usertab /etc/sarg/usertab

# TAG: LDAPHost hostname

# FQDN or IP address of host with LDAP service or AD DC

# default is '127.0.0.1'

#LDAPHost 127.0.0.1

# TAG: LDAPPort port

# LDAP service port number

# default is '389'

#LDAPPort 389

# TAG: LDAPBindDN CN=username,OU=group,DC=mydomain,DC=com

# DN of LDAP user, who is authorized to read user's names from LDAP base

# default is empty line

#LDAPBindDN cn=proxy,dc=mydomain,dc=local

# TAG: LDAPBindPW secret

# Password of DN, who is authorized to read user's names from LDAP base

# default is empty line

#LDAPBindPW secret

# TAG: LDAPBaseSearch OU=users,DC=mydomain,DC=com

# LDAP search base

# default is empty line

#LDAPBaseSearch ou=users,dc=mydomain,dc=local

# TAG: LDAPFilterSearch uid=%s

# User search filter by user's logins in LDAP

# First founded record will be used

# %s - will be changed to userlogins from access.log file

# filter string can have some tags '%s'

# default value is 'uid=%s'

#LDAPFilterSearch uid=%s

# TAG: LDAPTargetAttr attributename

# Name of the attribute containing a name of the user

# default value is 'cn'

#LDAPTargetAttr cn

# TAG: long_url yes|no

# If yes, the full url is showed in report.

# If no, only the site will be showed

# YES option generate very big sort files and reports.

long_url no

# TAG: date_time_by bytes|elap

# Date/Time reports show the downloaded volume or the elapsed time or both.

date_time_by bytes

# TAG: charset name

# ISO 8859 is a full series of 10 standardized multilingual single-byte coded (8bit)

# graphic character sets for writing in alphabetic languages

# You can use the following charsets:

# Latin1 - West European

# Latin2 - East European

# Latin3 - South European

# Latin4 - North European

# Cyrillic
# Arabic

# Greek

# Hebrew

# Latin5 - Turkish

# Latin6

# Windows-1251

# Japan

# Koi8-r

# UTF-8

charset Latin1

# TAG: user_invalid_char "&/"

# Records that contain invalid characters in userid will be ignored by Sarg.

#user_invalid_char "&/"

# TAG: privacy yes|no

# privacy_string "***.***.***.***"

# privacy_string_color blue

# In some countries the sysadm cannot see the visited sites by a restrictive law.

# Using privacy yes the visited url will be changes by privacy_string and the link

# will be removed from reports.

#privacy no

#privacy_string "***.***.***.***"

#privacy_string_color blue

# TAG: include_users "user1:user2:...:usern"

# Reports will be generated only for listed users.

#include_users none

# TAG: exclude_string "string1:string2:...:stringn"

# Records from access.log file that contain one of listed strings will be ignored.

#exclude_string none

# TAG: show_successful_message yes|no

# Shows "Successful report generated on dir" at end of process.

show_successful_message no

# TAG: show_read_statistics yes|no

# Shows some reading statistics.

show_read_statistics no

# TAG: topuser_fields

# Which fields must be in Topuser report.

topuser_fields NUM DATE_TIME USERID CONNECT BYTES %BYTES IN-CACHE-OUT USED_TIME MILISEC %TIME TOTAL AVERAGE

# TAG: user_report_fields

# Which fields must be in User report.

user_report_fields CONNECT BYTES %BYTES IN-CACHE-OUT USED_TIME MILISEC %TIME TOTAL AVERAGE

# TAG: bytes_in_sites_users_report yes|no

# Bytes field must be in Site & Users Report ?

#bytes_in_sites_users_report no

# TAG: topuser_num n

# How many users in topsites report. 0 = no limit

topuser_num 0

# TAG: datafile file

# Save the report results in a file to populate some database

#datafile none

# TAG: datafile_delimiter ";"

# ascii character to use as a field separator in datafile

#datafile_delimiter ";"

# TAG: datafile_fields all

# Which data fields must be in datafile

# user;date;time;url;connect;bytes;in_cache;out_cache;elapsed

#datafile_fields user;date;time;url;connect;bytes;in_cache;out_cache;elapsed

# TAG: datafile_url ip|name

# Saves the URL as ip or name in datafile

#datafile ip

# TAG: weekdays

# The weekdays to take account ( Sunday->0, Saturday->6 )

# Example:

#weekdays 1-3,5

# Default:

#weekdays 0-6

# TAG: hours

# The hours to take account

# Example:

#hours 7-12,14,16,18-20

# Default:

#hours 0-23

# TAG: dansguardian_conf file

# DansGuardian.conf file path

# Generate reports from DansGuardian logs.

# Use 'none' to disable it.

# dansguardian_conf /usr/dansguardian/dansguardian.conf

#dansguardian_conf none

# TAG: dansguardian_filter_out_date on|off

# This option replaces dansguardian_ignore_date whose name was not appropriate with respect to its action.

# Note the change of parameter value compared with the old option.

# 'off' use the record even if its date is outside of the range found in the input log file.

# 'on' use the record only if its date is in the range found in the input log file.

#dansguardian_filter_out_date on

# TAG: squidguard_conf file

# path to squidGuard.conf file

# Generate reports from SquidGuard logs.

# Use 'none' to disable.

# You can use sarg -L filename to use an alternate squidGuard log.

# squidguard_conf /usr/local/squidGuard/squidGuard.conf

#squidguard_conf none

# TAG: redirector_log file

# the location of the web proxy redirector log such as one created by squidGuard or Rejik. The option

# may be repeated up to 64 times to read multiple files.

# If this option is specified, it takes precedence over squidguard_conf.

# The command line option -L override this option.

#redirector_log /usr/local/squidGuard/var/logs/urls.log

# TAG: redirector_filter_out_date on|off

# This option replaces squidguard_ignore_date and redirector_ignore_date whose names were not

# appropriate with respect to their action.

# Note the change of parameter value compared with the old options.

# 'off' use the record even if its date is outside of the range found in the input log file.

# 'on' use the record only if its date is in the range found in the input log file.

#redirector_filter_out_date on

# TAG: redirector_log_format

# Format string for web proxy redirector logs.

# This option was named squidguard_log_format before sarg 2.3.

# REJIK #year#-#mon#-#day# #hour# #list#:#tmp# #ip# #user# #tmp#/#tmp#/#url#/#end#

# SQUIDGUARD #year#-#mon#-#day# #hour# #tmp#/#list#/#tmp#/#tmp#/#url#/#tmp# #ip#/#tmp# #user# #end#

#redirector_log_format #year#-#mon#-#day# #hour# #tmp#/#list#/#tmp#/#tmp#/#url#/#tmp# #ip#/#tmp# #user# #end#

# TAG: show_sarg_info yes|no

# shows sarg information and site path on each report bottom

#show_sarg_info yes

# TAG: show_sarg_logo yes|no

# shows sarg logo

#show_sarg_logo yes

# TAG: parsed_output_log directory

# Saves the processed log in a sarg format after parsing the squid log file.

# This is a way to dump all of the data structures out, after parsing from

# the logs (presumably this data will be much smaller than the log files themselves),

# and pull them back in for later processing and merging with data from previous logs.

#parsed_output_log none

# TAG: parsed_output_log_compress /bin/gzip|/usr/bin/bzip2|nocompress

# Command to run to compress sarg parsed output log. It may contain

# options (such as -f to overwrite existing target file). The name of

# the file to compresse is provided at the end of this

# command line. Don't forget to quote things appropriately.

#parsed_output_log_compress /bin/gzip

# TAG: displayed_values bytes|abbreviation

# how the values will be displayed in reports.

# eg. bytes - 209.526

# abbreviation - 210K

#displayed_values bytes

# Report limits

# TAG: authfail_report_limit n

# TAG: denied_report_limit n

# TAG: siteusers_report_limit n

# TAG: squidguard_report_limit n

# TAG: user_report_limit n

# TAG: dansguardian_report_limit n

# TAG: download_report_limit n

# report limits (lines).

# '0' no limit

#authfail_report_limit 10

#denied_report_limit 10

#siteusers_report_limit 0

#squidguard_report_limit 10

#dansguardian_report_limit 10

#user_report_limit 10

#user_report_limit 50

# TAG: www_document_root dir

# Where is your Web DocumentRoot

# Sarg will create sarg-php directory with some PHP modules:

# - sarg-squidguard-block.php - add urls from user reports to squidGuard DB

#www_document_root /var/www/html

# TAG: block_it module_url

# This tag allow you to pass urls from user reports to a cgi or php module,

# to be blocked by some Squid acl

# Eg.: block_it /sarg-php/sarg-block-it.php

# sarg-block-it is a php that will append a url to a flat file.

# You must change /var/www/html/sarg-php/sarg-block-it to point to your file

# in $filename variable, and chown to a httpd owner.

# sarg will pass http://module_url?url=url

#block_it none

# TAG: external_css_file path

# Provide the path to an external css file to link into the HTML reports instead of

# the inline css written by sarg when this option is not set.

# In versions prior to 2.3, this used to be an absolute file name to

# a file to include verbatim in each HTML page but, as it takes a lot of

# space, version 2.3 switched to a link to an external css file.

# Therefore, this option must contain the HTTP server path on which a client

# browser may find the css file.

# Sarg use theses style classes:

# .logo logo class

# .info sarg information class, align=center

# .title_c title class, align=center

# .header_c header class, align:center

# .header_l header class, align:left

# .header_r header class, align:right

# .text text class, align:right

# .data table text class, align:right

# .data2 table text class, align:left

# .data3 table text class, align:center

# .link link class

# Sarg can be instructed to output the internal css it inline

# into the reports with this command:

# sarg --css

# You can redirect the output to a file of your choice and edit

# it to your liking.

#external_css_file none

# TAG: user_authentication yes|no

# Allow user authentication in User Reports using .htaccess

# Parameters:

# AuthUserTemplateFile - The template to use to create the

# .htaccess file. In the template, %u is replaced by the

# user's ID for which the report is generated. The path of the

# template is relative to the directory containing sarg

# configuration file.

# user_authentication no

# AuthUserTemplateFile sarg_htaccess

# TAG: download_suffix "suffix,suffix,...,suffix"

# file suffix to be considered as "download" in Download report.

# Use 'none' to disable.

download_suffix "zip,arj,bzip,gz,ace,doc,iso,adt,bin,cab,com,dot,drv$,lha,lzh,mdb,mso,ppt,rtf,src,shs,sys,exe,dll,mp3,avi,mpg,mpeg"

# TAG: ulimit n

# The maximum number of open file descriptors to avoid "Too many open files" error message.

# You need to run sarg as root to use ulimit tag.

# If you run sarg with a low privilege user, set to 'none' to disable ulimit

#ulimit 20000

# TAG: ntlm_user_format username|domainname+username

# NTLM users format.

#ntlm_user_format domainname+username

# TAG: realtime_refresh_time num sec

# How many time to auto refresh the realtime report

# 0 = disable

# realtime_refresh_time 3

# TAG: realtime_access_log_lines num

# How many last lines to get from access.log file

# realtime_access_log_lines 1000

# TAG: realtime_types: GET,PUT,CONNECT,ICP_QUERY,POST

# Which records must be in realtime report.

# realtime_types GET,PUT,CONNECT

# TAG: realtime_unauthenticated_records: ignore|show

# What to do with unauthenticated records in realtime report.

# realtime_unauthenticated_records: show

# TAG: byte_cost value no_cost_limit

# Cost per byte.

# Eg. byte_cost 0.01 100000000

# per byte cost = 0.01

# bytes with no cost = 100 Mb

# 0 = disable

# byte_cost 0.01 50000000

# TAG: squid24 on|off

# Compatilibity with squid version <= 2.4 when using emulate_http_log on

# squid24 off

mkdir /var/www/squid-reports

Nano /etc/sarg/sarg-reports.conf

root@raabtaproxy:/etc/sarg# cat sarg-reports.conf

SARG=/usr/bin/sarg

CONFIG=/etc/sarg/sarg.conf

HTMLOUT=/var/www/squid-reports

PAGETITLE="Access Reports on $(hostname)"

LOGOIMG=/sarg/images/sarg.png

LOGOLINK="http://$(hostname)/"

DAILY=Daily

WEEKLY=Weekly

MONTHLY=Monthly

EXCLUDELOG1="SARG: No records found"

EXCLUDELOG2="SARG: End"

## To generate report of today
/usr/sbin/sarg-reports today

Crontab to generate reports
root#crontab -e
00 00 * * * /usr/sbin/sarg-reports daily
00 01 * * 1 /usr/sbin/sarg-reports weekly
03 02 1 * * /usr/sbin/sarg-reports monthly

↧

HOW TO SHUTDOWN AND RESTART LINUX

April 3, 2013, 3:26 am

≫ Next: ZeroShell-2.0.RC2 Installation on Hard Disk

≪ Previous: SARG INSTALLATION ON UBUNTU 12

How do I use shutdown command?

NOTE: Use commands without sudo for other linux distributions

The shutdown command can be used to turn off or reboot a computer. Type the command as follows to shutdown server / computer immediately:
$ sudo shutdown -h now
OR$ sudo shutdown -h 0

How do I shutdown computer at specific time?

To shutdown computer at 6:45pm, enter:$ sudo shutdown -h 18:45 "Server is going down for maintenance"

At 6:30pm message will go out to all user and 6:45 system will shutdown.
Please note that you can also use halt or poweroff or reboot command for stopping and restarting the system:
$ sudo halt
OR$ sudo poweroff

How do I reboot computer?

Simply use reboot command:
$ sudo reboot
OR$ sudo shutdown -r 0

↧

ZeroShell-2.0.RC2 Installation on Hard Disk

April 17, 2013, 3:46 am

≫ Next: SQUID 3.3.3 COMPILATION ON UBUNTU 12

≪ Previous: HOW TO SHUTDOWN AND RESTART LINUX

Install Zeroshell-2.0.RC2 on the hard disk

1. First download the image from the official site ZeroShell-2.0.RC2.iso. Also Download ZeroShell-2.0.RC2-IDE-USB-SATA-2GB.img.gz  
 
2. Open ISO image with magiciso and move to USR directory. Put zeroshell.x.x.x.img.gz in USR and save it.

3. Write ISO image to the cd

4. Boot system from that zeroshell CD and let it start

5. Press S, to go to the command mode.

6. Run the command fdisk-L, to view the available devices (hard disk)

7. Now unpack. Img.gz image to your hard drive by performing commands:

cd /usr
gunzip -c zeroshell-2.0.RC2.img.gz > /dev/sda
Wait for the image decompression

8. Reboot the system by performing the command:
reboot
 
Remove the CD and system will boot from the hard drive.

Set your lan ip to 192.168.0.10/255.255.255.0 and gateway to 192.168.0.75

open web interface of ZeroShell using https://192.168.0.75
User: admin
Password: zeroshell

↧

SQUID 3.3.3 COMPILATION ON UBUNTU 12

April 18, 2013, 8:43 pm

≫ Next: FIX BAD SECTORS IN HARD DRIVE

≪ Previous: ZeroShell-2.0.RC2 Installation on Hard Disk

Compilation of Squid 3.3.3 on Ubuntu 12

## Switch to root user

sudo su

apt-get update

apt-get upgrade

wget http://www.squid-cache.org/Versions/v3/3.3/squid-3.3.3.tar.gz

tar -xzvf squid-3.3.3.tar.gz

apt-get install g++ gawk m4 gcc-multilib

NOTE: if found any error regarding gcc then install it

------------------------------------------------------------------------

sudo add-apt-repository ppa:ubuntu-toolchain-r/test
sudo apt-get update
sudo apt-get install gcc-4.7

------------------------------------------------------------------------

apt-get install smbclient

apt-get install openssl*

apt-get install libcap-*

## SQUID COMPILATION

./configure --prefix=/usr --includedir=/usr/include --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid3 --enable-delay-pools --enable-ssl --enable-ssl-crtd --enable-linux-netfilter --enable-arp-acl --enable-snmp --enable-gnuregex && echo $?

NOTE: for squid 3.3.3

--enable-arp-acl replaced with --enable-eui

make all && echo $?

make install && echo $?

## GENERATE CERTIFICATE

cd /usr/share/ssl-cert

openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem

openssl x509 -in myCA.pem -outform DER -out myCA.der

The result file should be imported into the 'Authorities' section of users' browsers.

For example, in FireFox:

Open 'Preferences'
Go to the 'Advanced' section, 'Encryption' tab
Press the 'View Certificates' button and go to the 'Authorities' tab
Press the 'Import' button, select the .der file that was created previously and pres 'OK'

## CONFIGURE SQUID

nano /etc/squid3/squid.conf

http_port 192.168.5.239:3128 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/share/ssl-cert/myCA.pem

##Also add the following lines to enable SSL bumping:

always_direct allow all
ssl_bump allow all
# the following two options are unsafe and not always necessary:
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

# Uncomment and adjust the following to add a disk cache directory.

cache_mem 100 MB

cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/cache/squid

## CREATE CACHE LOG FILE

touch /var/logs/cache.log

chown nobody:adm /var/logs/cache.log

touch /var/logs/access.log

chown nobody:adm /var/logs/access.log

chown nobody:adm /var/cache/squid

## TO INITIALIZE CACHE

/usr/sbin/squid -z

## TO RUN SQUID

/usr/sbin/squid &

NOTE: if you face below issue then disable or change this line “ssl_bump allow all” accordingly in /etc/squid3/squid.conf

SECURITY NOTICE: auto-converting deprecated "ssl_bump allow <acl>" to "ssl_bump client-first <acl>" which is usually inferior to the newer server-first bumping mode. Update your ssl_bump rules.

## IPTABLES ENTRIES FOR TRANSPARENT PROXY

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 3128

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

## TO ENABLE FORWARDING

echo "1">/proc/sys/net/ipv4/ip_forward

↧

FIX BAD SECTORS IN HARD DRIVE

April 22, 2013, 8:40 pm

≫ Next: QMOBILE NOIR A50

≪ Previous: SQUID 3.3.3 COMPILATION ON UBUNTU 12

open command prompt in windows with Administrator privileges.

## Switch to drive having bad sectors

c:\>f:

## check the disk with below command

f:\>chkdsk /f /r

↧

QMOBILE NOIR A50

May 10, 2013, 4:41 am

≫ Next: WIFI TIPS AND TRICKS

≪ Previous: FIX BAD SECTORS IN HARD DRIVE

Qmobile Noir A50 Launched

Specifications and Price

Price

Processor

ROM

SIZE

Camera

GPS

WLAN

3.5mm Ear Jack

Internal/External Memory

Operating System

SIM Slot

RAM

Display

Network

Bluetooth

Battery

(N/A)

(1.x GHz Dual Core Processor)

(Present)

(N/A)

(Rear, Front)

(GPS/A-GPS)

(Wi-Fi 802.11)

(Present)

(Android 4.1)

(Dual Sim)

(Present)

(4″ WVGA IPS LCD Display)

(GSM 900/1800/1900)

(Present)

(N/A)

All missing details coming soon...!

↧

WIFI TIPS AND TRICKS

June 20, 2013, 4:03 am

≫ Next: VSFTPD ON UBUNTU 12.04 WITH chroot_local_user=YES AND allow_writeable_chroot=YES

≪ Previous: QMOBILE NOIR A50

To show and delete wifi profiles in windows

To show the key of wifi interface
netsh wlan show profiles name=[profile name] key=clear

To delete the stored profile of every WLAN interface.
netsh wlan delete profile name=[profile name]

If you want to delete the profile of a specific WLAN interface, you need to use the following:
netsh wlan delete profile name=[profile name] interface=[interface name]

WIFI DISCONNECTION
NOTE: if your wifi disconnecting frequently then go to the wireless settings of your router or Access Point and select wireless channel 1, 6 or 11. It will not allow overlapping between wireless devices and will not disconnect frequently.

↧

VSFTPD ON UBUNTU 12.04 WITH chroot_local_user=YES AND allow_writeable_chroot=YES

June 23, 2013, 11:50 pm

≫ Next: BEAUTIFUL PAKISTAN

≪ Previous: WIFI TIPS AND TRICKS

VSFTPD FOR UBUNTU 12.04

Vsftpd installation and configuration

1. login as root (or sudo..) and do the following:

2. apt-get install python-software-properties

3. sudo add-apt-repository ppa:thefrontiergroup/vsftpd

4. sudo apt-get update

5. sudo apt-get install vsftpd

6. vi /etc/vsftpd.conf and add the following allow_writeable_chroot=YES

7. sudo service vsftpd restart

# Example config file /etc/vsftpd.conf

# The default compiled in settings are fairly paranoid. This sample file

# loosens things up a bit, to make the ftp daemon more usable.

# Please see vsftpd.conf.5 for all compiled in defaults.

# READ THIS: This example file is NOT an exhaustive list of vsftpd options.

# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's

# capabilities.

# Run standalone? vsftpd can run either from an inetd or as a standalone

# daemon started from an initscript.

listen=YES

# Run standalone with IPv6?

# Like the listen parameter, except vsftpd will listen on an IPv6 socket

# instead of an IPv4 one. This parameter and the listen parameter are mutually

# exclusive.

#listen_ipv6=YES

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).

anonymous_enable=NO

# Uncomment this to allow local users to log in.

local_enable=YES

# Uncomment this to enable any form of FTP write command.

write_enable=YES

# Default umask for local users is 077. You may wish to change this to 022,

# if your users expect that (022 is used by most other ftpd's)

#local_umask=022

# Uncomment this to allow the anonymous FTP user to upload files. This only

# has an effect if the above global write enable is activated. Also, you will

# obviously need to create a directory writable by the FTP user.

#anon_upload_enable=YES

# Uncomment this if you want the anonymous FTP user to be able to create

# new directories.

#anon_mkdir_write_enable=YES

# Activate directory messages - messages given to remote users when they

# go into a certain directory.

dirmessage_enable=YES

# If enabled, vsftpd will display directory listings with the time

# in your local time zone. The default is to display GMT. The

# times returned by the MDTM FTP command are also affected by this

# option.

use_localtime=YES

# Activate logging of uploads/downloads.

xferlog_enable=YES

# Make sure PORT transfer connections originate from port 20 (ftp-data).

connect_from_port_20=YES

# If you want, you can arrange for uploaded anonymous files to be owned by

# a different user. Note! Using "root" for uploaded files is not

# recommended!

#chown_uploads=YES

#chown_username=root

local_umask=002

chmod_enable=YES

file_open_mode=0775

# You may override where the log file goes if you like. The default is shown

# below.

xferlog_file=/var/log/vsftpd.log

# If you want, you can have your log file in standard ftpd xferlog format.

# Note that the default log file location is /var/log/xferlog in this case.

#xferlog_std_format=YES

# You may change the default value for timing out an idle session.

#idle_session_timeout=600

# You may change the default value for timing out a data connection.

#data_connection_timeout=120

# It is recommended that you define on your system a unique user which the

# ftp server can use as a totally isolated and unprivileged user.

#nopriv_user=ftpsecure

# Enable this and the server will recognise asynchronous ABOR requests. Not

# recommended for security (the code is non-trivial). Not enabling it,

# however, may confuse older FTP clients.

#async_abor_enable=YES

# By default the server will pretend to allow ASCII mode but in fact ignore

# the request. Turn on the below options to have the server actually do ASCII

# mangling on files when in ASCII mode.

# Beware that on some FTP servers, ASCII support allows a denial of service

# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd

# predicted this attack and has always been safe, reporting the size of the

# raw file.

# ASCII mangling is a horrible feature of the protocol.

#ascii_upload_enable=YES

#ascii_download_enable=YES

# You may fully customise the login banner string:

#ftpd_banner=Welcome to blah FTP service.

# You may specify a file of disallowed anonymous e-mail addresses. Apparently

# useful for combatting certain DoS attacks.

#deny_email_enable=YES

# (default follows)

#banned_email_file=/etc/vsftpd.banned_emails

# You may restrict local users to their home directories. See the FAQ for

# the possible risks in this before using chroot_local_user or

# chroot_list_enable below.

chroot_local_user=YES

allow_writeable_chroot=YES

# You may specify an explicit list of local users to chroot() to their home

# directory. If chroot_local_user is YES, then this list becomes a list of

# users to NOT chroot().

# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that

# the user does not have write access to the top level directory within the

# chroot)

#chroot_local_user=YES

#chroot_list_enable=YES

# (default follows)

#chroot_list_file=/etc/vsftpd.chroot_list

# You may activate the "-R" option to the builtin ls. This is disabled by

# default to avoid remote users being able to cause excessive I/O on large

# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

# the presence of the "-R" option, so there is a strong case for enabling it.

#ls_recurse_enable=YES

# Customization

# Some of vsftpd's settings don't fit the filesystem layout by

# default.

# This option should be the name of a directory which is empty. Also, the

# directory should not be writable by the ftp user. This directory is used

# as a secure chroot() jail at times vsftpd does not require filesystem

# access.

secure_chroot_dir=/var/run/vsftpd/empty

# This string is the name of the PAM service vsftpd will use.

pam_service_name=vsftpd

# This option specifies the location of the RSA certificate to use for SSL

# encrypted connections.

rsa_cert_file=/etc/ssl/private/vsftpd.pem

↧

BEAUTIFUL PAKISTAN

June 24, 2013, 11:50 pm

≫ Next: HOW TO SETUP VPN (PPTP) SERVER ON DEBIAN LINUX

≪ Previous: VSFTPD ON UBUNTU 12.04 WITH chroot_local_user=YES AND allow_writeable_chroot=YES

BEAUTIFUL PAKISTAN

↧

HOW TO SETUP VPN (PPTP) SERVER ON DEBIAN LINUX

June 25, 2013, 5:02 am

≫ Next: RSYNC BACKUP LOCAL AND NETWORK

≪ Previous: BEAUTIFUL PAKISTAN

VPN-ing into your server will allow you to connect to every possible service running on it, as if you were sitting next to it on the same network, without individually forwarding every port combination for every service you would like to access remotely.

Using a VPN connection also has the upshot of, if desired, granting access to other computers on the network as if you where in it locally from anywhere across the internet.

While not the most secure of the VPN solutions out there, PPTP is by far the simplest to install, configure and connect to from any modern system and from windows specifically as the client is a part of the OS since the XP days and you don’t need to mess with certificates (like with L2TP+IPsec or SSL VPNs) on both sides of the connection.

You will need to forward port 1723 from the internet to the server to enable the connection (not covered here).

Server Setup

Install the pptp server package:

sudo aptitude install pptpd

Edit the “/etc/pptpd.conf” configuration file:

sudo vim /etc/pptpd.conf

Add to it:

localip 192.168.1.5

remoteip 192.168.1.234-238,192.168.1.245

Where the “localip” is the address of the server, and the remoteip are the addresses that will be handed out to the clients, it is up to you to adjust these for your network’s requirements.

Edit the “/etc/ppp/pptpd-options” configuration file:

sudo vim /etc/ppp/pptpd-options

Append to the end of the file, the following directives:

ms-dns 192.168.1.1

nobsdcomp

noipx

mtu 1490

mru 1490

Where the IP used for the ms-dns directive is the DNS server for the local network your client will be connecting to and, again, it is your responsibility to adjust this to your network’s configuration.

Edit the chap secrets file:

sudo vim /etc/ppp/chap-secrets

Add to it the authentication credentials for a user’s connection, in the following syntax:

username <TAB> * <TAB> users-password <TAB> *

Restart the connection’s daemon for the settings to take affect:

sudo /etc/init.d/pptpd restart

If you don’t want to grant yourself access to anything beyond the server, then you’re done on the server side.

Enable Forwarding (optional)

While this step is optional and could be viewed as a security risk for the extremely paranoid, it is my opinion that not doing it defeats the purpose of even having a VPN connection into your network.

By enabling forwarding we make the entire network available to us when we connect and not just the VPN server itself. Doing so allows the connecting client to “jump” through the VPN server, to all other devices on the network.

To achieve this we will be flipping the switch on the “forwarding” parameter of the system.

Edit the “sysctl” file:

sudo vim /etc/sysctl.conf

Find the “net.ipv4.ip_forward” line and change the parameter from 0 (disabled) to 1 (enabled):

net.ipv4.ip_forward=1

You can either restart the system or issue this command for the setting to take affect:

sudo sysctl -p

With forwarding enabled, all the server side settings are prepared.

↧

RSYNC BACKUP LOCAL AND NETWORK

June 26, 2013, 3:10 am

≫ Next: SYMMETRIC AND ASYMMETRIC ENCRYPTION

≪ Previous: HOW TO SETUP VPN (PPTP) SERVER ON DEBIAN LINUX

RSYNC
1. --dry-run This tells rsync to not actually do anything. It will just write a log of what it would do to the screen. Once you've made sure everything will work as you expect, you have to remove this option, and run the command again to perform the actual backup.
2. --delete deletes files that don't exist on the system being backed up.(Optional)
3. -a preserves the date and times, and permissions of the files (same as -rlptgoD).
4. --exclude To exclude a directory from backing up

With this option rsync will:
1. Descend recursively into all directories (-r),
2. copy symlinks as symlinks (-l),
3. preserve file permissions (-p),
4. preserve modification times (-t),
5. preserve groups (-g),
6. preserve file ownership (-o), and
7. preserve devices as devices (-D).
5. -z compresses the data
6. -vv increases the verbosity of the reporting process
7. -e specifies remote shell to use
8. /folder1 and folder2 In the examples above, folder1 and 2 are placeholders for the directories to be synchronized. Folder1 is the original folder, and 2 is the new folder, or existing one to be brought in sync with the first. Replace them with the folders you'd like. A / was added after folder1 so that only the contents, rather than whole folder, would be moved into the second.

LOCAL BACKUP
rsync -azvv /home/user/testsync/ /home/user/testsync

rsync -azvvrlptgo /home/user/testsync/ /home/user/testsync

Becareful with --delete and use --dry-run first to test
rsync --dry-run -azvv --delete /home/user/testsync/ /home/user/testsync

To Exclude a Directory
rsync -azvv --exclude 'dir1' /home/path/folderA/ /home/path/folderB

NETWORK BACKUP
rsync -azvv -e ssh /home/user/testsync/ user@192.168.1.10:/home/user/testsync

rsync -azvrlptgo --delete -e ssh /home/user/testsync/ user@192.168.1.10:/home/user/testsync

↧

SYMMETRIC AND ASYMMETRIC ENCRYPTION

June 26, 2013, 4:42 am

≫ Next: PORTS AND PROTOCOLS

≪ Previous: RSYNC BACKUP LOCAL AND NETWORK

Symmetric Encryption
Symmetric encryption is the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.

Asymmetric Encryption
The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands. Anyone who knows the secret key can decrypt the message. One answer is asymmetric encryption, in which there are two related keys--a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.

Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key.

This means that you do not have to worry about passing public keys over the Internet (the keys are supposed to be public). A problem with asymmetric encryption, however, is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the content of the message.

↧

PORTS AND PROTOCOLS

June 27, 2013, 11:33 pm

≫ Next: STP – Spanning Tree Protocol

≪ Previous: SYMMETRIC AND ASYMMETRIC ENCRYPTION

TABLE LEGEND

Use	Description	Color
Official	Port is registered with IANA for the application	White
Unofficial	Port is not registered with IANA for the application	Red
Multiple use	Multiple applications are known to use this port.	Purple

WELL KNOWN PORTS

Port	TCP	UDP	Description	Status
0		UDP	Reserved	Official
1	TCP	UDP	TCP Port Service Multiplexer (TCPMUX)	Official
2	TCP	UDP	CompressNET Management Utility	Official
3	TCP	UDP	CompressNET Compression Process	Official
4	TCP	UDP	Unassigned	Official
5	TCP	UDP	Remote Job Entry	Official
7	TCP	UDP	Echo Protocol	Official
8	TCP	UDP	Unassigned	Official
9	TCP	UDP	Discard Protocol	Official
9		UDP	Wake-on-LAN	Unofficial
10	TCP	UDP	Unassigned	Official
11	TCP	UDP	Active Users (systat service)	Official
12	TCP	UDP	Unassigned	Official
13	TCP	UDP	Daytime Protocol (RFC 867)	Official
14	TCP	UDP	Unassigned	Official
15	TCP	UDP	Previously netstat service	Unofficial
16	TCP	UDP	Unassigned	Official
17	TCP	UDP	Quote of the Day	Official
18	TCP	UDP	Message Send Protocol	Official
19	TCP	UDP	Character Generator Protocol (CHARGEN)	Official
20	TCP	UDP	FTP data transfer	Official
21	TCP		FTP control (command)	Official
22	TCP	UDP	Secure Shell (SSH) — used for secure logins, file transfers (scp, sftp) and port forwarding	Official
23	TCP	UDP	Telnet protocol—unencrypted text communications	Official
24	TCP	UDP	Priv-mail : any private mail system.	Official
25	TCP		Simple Mail Transfer Protocol (SMTP)—used for e-mail routing between mail servers	Official
26	TCP	UDP	Unassigned	Official
27	TCP	UDP	NSW User System FE	Official
29	TCP	UDP	MSG ICP	Official
33	TCP	UDP	Display Support Protocol	Official
35	TCP	UDP	Any private printer server protocol	Official
37	TCP	UDP	TIME protocol	Official
39	TCP	UDP	Resource Location Protocol (RLP)—used for determining the location of higher level services from hosts on a network	Official
40	TCP	UDP	Unassigned	Official
42	TCP	UDP	ARPA Host Name Server Protocol	Official
42	TCP	UDP	Windows Internet Name Service	Unofficial
43	TCP		WHOIS protocol	Official
47	TCP	UDP	NI FTP	Official
49	TCP	UDP	TACACS Login Host protocol	Official
50	TCP	UDP	Remote Mail Checking Protocol	Official
51	TCP	UDP	IMP Logical Address Maintenance	Official
52	TCP	UDP	XNS (Xerox Network Systems) Time Protocol	Official
53	TCP	UDP	Domain Name System (DNS)	Official
54	TCP	UDP	XNS (Xerox Network Systems) Clearinghouse	Official
55	TCP	UDP	ISI Graphics Language (ISI-GL)	Official
56	TCP	UDP	XNS (Xerox Network Systems) Authentication	Official
56	TCP	UDP	Route Access Protocol (RAP)	Unofficial
57	TCP		Mail Transfer Protocol (RFC 780)	Official
58	TCP	UDP	XNS (Xerox Network Systems) Mail	Official
64	TCP	UDP	CI (Travelport) (formerly Covia) Comms Integrator	Official
67		UDP	Bootstrap Protocol (BOOTP) Server; also used by Dynamic Host Configuration Protocol (DHCP)	Official
68		UDP	Bootstrap Protocol (BOOTP) Client; also used by Dynamic Host Configuration Protocol (DHCP)	Official
69		UDP	Trivial File Transfer Protocol (TFTP)	Official
70	TCP		Gopher protocol	Official
71	TCP		NETRJS protocol	Official
72	TCP		NETRJS protocol	Official
73	TCP		NETRJS protocol	Official
74	TCP		NETRJS protocol	Official
79	TCP		Finger protocol	Official
80	TCP		Hypertext Transfer Protocol (HTTP)	Official
81	TCP		Torpark—Onion routing	Unofficial
82		UDP	Torpark—Control	Unofficial
88	TCP	UDP	Kerberos—authentication system	Official
90	TCP	UDP	dnsix (DoD Network Security for Information Exchange) Securit Attribute Token Map	Official
90	TCP	UDP	PointCast (dotcom)	Unofficial
99	TCP		WIP Message protocol	Unofficial
100		UDP	CyberGate RAT protocol	Unofficial
101	TCP		NIC host name	Official
102	TCP		ISO-TSAP (Transport Service Access Point) Class 0 protocol; also used by Digital Equipment Corporation DECnet (Phase V+) over TCP/IP	Official
104	TCP	UDP	ACR/NEMA Digital Imaging and Communications in Medicine (DICOM)	Official
105	TCP	UDP	CCSO Nameserver Protocol (Qi/Ph)	Official
107	TCP		Remote TELNET Service protocol	Official
108	TCP	UDP	SNA Gateway Access Server	Official
109	TCP		Post Office Protocol v2 (POP2)	Official
110	TCP		Post Office Protocol v3 (POP3)	Official
111	TCP	UDP	ONC RPC (Sun RPC)	Official
113	TCP		Ident—Authentication Service/Identification Protocol, used by IRC servers to identify users	Official
113		UDP	Authentication Service (auth)	Official
115	TCP		Simple File Transfer Protocol (SFTP)	Official
117	STD		UUCP Path Service	Official
118	TCP	UDP	SQL (Structured Query Language) Services	Official
119	TCP		Network News Transfer Protocol (NNTP)—retrieval of newsgroup messages	Official
123		UDP	Network Time Protocol (NTP)—used for time synchronization	Official
126	TCP	UDP	Formerly Unisys Unitary Login, renamed by Unisys to NXEdit. Used by Unisys Programmer's Workbench for Clearpath MCP, an IDE for Unisys MCP software development	Official
135	TCP	UDP	DCE endpoint resolution	Official
135	TCP	UDP	Microsoft EPMAP (End Point Mapper), also known as DCE/RPC Locator service, used to remotely manage services including DHCP server, DNS server and WINS. Also used by DCOM	Unofficial
137	TCP	UDP	NetBIOS NetBIOS Name Service	Official
138	TCP	UDP	NetBIOS NetBIOS Datagram Service	Official
139	TCP	UDP	NetBIOS NetBIOS Session Service	Official
143	TCP		Internet Message Access Protocol (IMAP)—management of email messages	Official
152	TCP	UDP	Background File Transfer Program (BFTP)	Official
153	TCP	UDP	SGMP, Simple Gateway Monitoring Protocol	Official
156	TCP	UDP	SQL Service	Official
158	TCP	UDP	DMSP, Distributed Mail Service Protocol	Unofficial
161		UDP	Simple Network Management Protocol (SNMP)	Official
162	TCP	UDP	Simple Network Management Protocol Trap (SNMPTRAP)	Official
170	TCP		Print-srv, Network PostScript	Official
175	TCP		VMNET (IBM z/VM, z/OS & z/VSE - Network Job Entry(NJE))	Official
177	TCP	UDP	X Display Manager Control Protocol (XDMCP)	Official
179	TCP		BGP (Border Gateway Protocol)	Official
194	TCP	UDP	Internet Relay Chat (IRC)	Official
199	TCP	UDP	SMUX, SNMP Unix Multiplexer	Official
201	TCP	UDP	AppleTalk Routing Maintenance	Official
209	TCP	UDP	The Quick Mail Transfer Protocol	Official
210	TCP	UDP	ANSI Z39.50	Official
213	TCP	UDP	Internetwork Packet Exchange (IPX)	Official
218	TCP	UDP	Message posting protocol (MPP)	Official
220	TCP	UDP	Internet Message Access Protocol (IMAP), version 3	Official
259	TCP	UDP	ESRO, Efficient Short Remote Operations	Official
264	TCP	UDP	BGMP, Border Gateway Multicast Protocol	Official
280	TCP	UDP	http-mgmt	Official
300	TCP		ThinLinc Web Access	Unofficial
308	TCP		Novastor Online Backup	Official
311	TCP		Mac OS X Server Admin (officially AppleShare IP Web administration)	Official
318	TCP	UDP	PKIX TSP, Time Stamp Protocol	Official
319		UDP	Precision time protocol event messages	Official
320		UDP	Precision time protocol general messages	Official
350	TCP	UDP	MATIP-Type A, Mapping of Airline Traffic over Internet Protocol	Official
351	TCP	UDP	MATIP-Type B, Mapping of Airline Traffic over Internet Protocol	Official
366	TCP	UDP	ODMR, On-Demand Mail Relay	Official
369	TCP	UDP	Rpc2portmap	Official
370	TCP		codaauth2—Coda authentication server	Official
370		UDP	codaauth2—Coda authentication server	Official
370		UDP	securecast1—Outgoing packets to NAI's servers	Unofficial
371	TCP	UDP	ClearCase albd	Official
383	TCP	UDP	HP data alarm manager	Official
384	TCP	UDP	A Remote Network Server System	Official
387	TCP	UDP	AURP, AppleTalk Update-based Routing Protocol[19]	Official
389	TCP	UDP	Lightweight Directory Access Protocol (LDAP)	Official
399	TCP	UDP	Digital Equipment Corporation DECnet (Phase V+) over TCP/IP	Official
401	TCP	UDP	UPS Uninterruptible Power Supply	Official
427	TCP	UDP	Service Location Protocol (SLP)	Official
443	TCP		HTTPS (Hypertext Transfer Protocol over SSL/TLS)	Official
444	TCP	UDP	SNPP, Simple Network Paging Protocol (RFC 1568)	Official
445	TCP		Microsoft-DS Active Directory, Windows shares	Official
445	TCP		Microsoft-DS SMB file sharing	Official
464	TCP	UDP	Kerberos Change/Set password	Official
465	TCP		URL Rendesvous Directory for SSM (Cisco protocol)	Official
475	TCP	UDP	tcpnethaspsrv (Aladdin Knowledge Systems Hasp services, TCP/IP version)	Official
497	TCP		Dantz Retrospect	Official
500		UDP	Internet Security Association and Key Management Protocol (ISAKMP)	Official
502	TCP	UDP	Modbus, Protocol	Unofficial
504	TCP	UDP	Citadel—multiservice protocol for dedicated clients for the Citadel groupware system	Official
512	TCP		Rexec, Remote Process Execution	Official
512		UDP	comsat, together with biff	Official
513	TCP		rlogin	Official
513		UDP	Who	Official
514	TCP		Shell—used to execute non-interactive commands on a remote system (Remote Shell, rsh, remsh)	Official
514		UDP	Syslog—used for system logging	Official
515	TCP		Line Printer Daemon—print service	Official
517		UDP	Talk	Official
518		UDP	NTalk	Official
520	TCP		efs, extended file name server	Official
520		UDP	Routing Information Protocol (RIP)	Official
524	TCP	UDP	NetWare Core Protocol (NCP) is used for a variety things such as access to primary NetWare server resources, Time Synchronization, etc.	Official
525		UDP	Timed, Timeserver	Official
530	TCP	UDP	RPC	Official
531	TCP	UDP	AOL Instant Messenger	Unofficial
532	TCP		netnews	Official
533		UDP	netwall, For Emergency Broadcasts	Official
540	TCP		UUCP (Unix-to-Unix Copy Protocol)	Official
542	TCP	UDP	commerce (Commerce Applications)	Official
543	TCP		klogin, Kerberos login	Official
544	TCP		kshell, Kerberos Remote shell	Official
545	TCP		OSIsoft PI (VMS), OSISoft PI Server Client Access	Unofficial
546	TCP	UDP	DHCPv6 client	Official
547	TCP	UDP	DHCPv6 server	Official
548	TCP		Apple Filing Protocol (AFP) over TCP	Official
550	TCP	UDP	new-rwho, new-who	Official
554	TCP	UDP	Real Time Streaming Protocol (RTSP)	Official
556	TCP		Remotefs, RFS, rfs_server	Official
560		UDP	rmonitor, Remote Monitor	Official
561		UDP	monitor	Official
563	TCP	UDP	NNTP protocol over TLS/SSL (NNTPS)	Official
587	TCP		e-mail message submission (SMTP)	Official
591	TCP		FileMaker 6.0 (and later) Web Sharing (HTTP Alternate, also see port 80)	Official
593	TCP	UDP	HTTP RPC Ep Map, Remote procedure call over Hypertext Transfer Protocol, often used by Distributed Component Object Model services and Microsoft Exchange Server	Official
604	TCP		TUNNEL profile, a protocol for BEEP peers to form an application layer tunnel	Official
623		UDP	ASF Remote Management and Control Protocol (ASF-RMCP)	Official
631	TCP	UDP	Internet Printing Protocol (IPP)	Official
631	TCP	UDP	Common Unix Printing System (CUPS)	Unofficial
635	TCP	UDP	RLZ DBase	Official
636	TCP	UDP	Lightweight Directory Access Protocol over TLS/SSL (LDAPS)	Official
639	TCP	UDP	MSDP, Multicast Source Discovery Protocol	Official
641	TCP	UDP	SupportSoft Nexus Remote Command (control/listening): A proxy gateway connecting remote control traffic	Official
646	TCP	UDP	LDP, Label Distribution Protocol, a routing protocol used in MPLS networks	Official
647	TCP		DHCP Failover protocol	Official
648	TCP		RRP (Registry Registrar Protocol)	Official
651	TCP	UDP	IEEE-MMS	Official
653	TCP	UDP	SupportSoft Nexus Remote Command (data): A proxy gateway connecting remote control traffic	Official
654	TCP		Media Management System (MMS) Media Management Protocol (MMP)	Official
657	TCP	UDP	IBM RMC (Remote monitoring and Control) protocol, used by System p5 AIX Integrated Virtualization Manager (IVM) and Hardware Management Consoleto connect managed logical partitions (LPAR) to enable dynamic partition reconfiguration	Official
660	TCP		Mac OS X Server administration	Official
666		UDP	Doom, first online first-person shooter	Official
666	TCP		airserv-ng, aircrack-ng's server for remote-controlling wireless devices	Unofficial
674	TCP		ACAP (Application Configuration Access Protocol)	Official
688	TCP	UDP	REALM-RUSD (ApplianceWare Server Appliance Management Protocol)	Official
691	TCP		MS Exchange Routing	Official
694	TCP	UDP	Linux-HA High availability Heartbeat	Official
695	TCP		IEEE-MMS-SSL (IEEE Media Management System over SSL)	Official
698		UDP	OLSR (Optimized Link State Routing)	Official
700	TCP		EPP (Extensible Provisioning Protocol), a protocol for communication between domain name registries and registrars (RFC 5734)	Official
701	TCP		LMP (Link Management Protocol (Internet)), a protocol that runs between a pair of nodes and is used to manage traffic engineering (TE) links	Official
702	TCP		IRIS (Internet Registry Information Service) over BEEP (Blocks Extensible Exchange Protocol) (RFC 3983)	Official
706	TCP		Secure Internet Live Conferencing (SILC)	Official
711	TCP		Cisco Tag Distribution Protocol—being replaced by the MPLS Label Distribution Protocol	Official
712	TCP		Topology Broadcast based on Reverse-Path Forwarding routing protocol (TBRPF) (RFC 3684)	Official
749	TCP	UDP	Kerberos (protocol) administration	Official
750		UDP	kerberos-iv, Kerberos version IV	Official
751	TCP	UDP	kerberos_master, Kerberos authentication	Unofficial
752		UDP	passwd_server, Kerberos Password (kpasswd) server	Unofficial
753	TCP		Reverse Routing Header (rrh)	Official
753		UDP	Reverse Routing Header (rrh)	Official
753		UDP	userreg_server, Kerberos userreg server	Unofficial
754	TCP		tell send	Official
754	TCP		krb5_prop, Kerberos v5 slave propagation	Unofficial
754		UDP	tell send	Official
760	TCP	UDP	krbupdate [kreg], Kerberos registration	Unofficial
782	TCP		Conserver serial-console management server	Unofficial
783	TCP		SpamAssassin spamd daemon	Unofficial
800		UDP	mdbe daemon	Official
808	TCP		Microsoft Net.TCP Port Sharing Service	Official
829	TCP		Certificate Management Protocol	Unofficial
843	TCP		Adobe Flash	Unofficial
847	TCP		DHCP Failover protocol	Official
848	TCP	UDP	Group Domain Of Interpretation (GDOI) protocol	Official
860	TCP		iSCSI (RFC 3720)	Official
861	TCP	UDP	OWAMP control (RFC 4656)	Official
862	TCP	UDP	TWAMP control (RFC 5357)	Official
873	TCP		rsync file synchronization protocol	Official
888	TCP		cddbp, CD DataBase (CDDB) protocol (CDDBP)	Unofficial
897	TCP	UDP	Brocade SMI-S RPC	Unofficial
898	TCP	UDP	Brocade SMI-S RPC SSL	Unofficial
901	TCP		Samba Web Administration Tool (SWAT)	Unofficial
901	TCP		VMware Virtual Infrastructure Client (UDP from server being managed to management console)	Unofficial
901		UDP	VMware Virtual Infrastructure Client (UDP from server being managed to management console)	Unofficial
902	TCP		ideafarm-door	Official
902	TCP		VMware Server Console (TCP from management console to server being Managed)	Unofficial
902		UDP	ideafarm-door	Official
902		UDP	VMware Server Console (UDP from server being managed to management console)	Unofficial
903	TCP		VMware Remote Console	Unofficial
904	TCP		VMware Server Alternate (if 902 is in use, i.e. SUSE linux)	Unofficial
911	TCP		Network Console on Acid (NCA)—local tty redirection over OpenSSH	Unofficial
944		UDP	Network File System (protocol) Service	Unofficial
953	TCP	UDP	Domain Name System (DNS) RNDC Service	Unofficial
973		UDP	Network File System (protocol) over IPv6 Service	Unofficial
981	TCP		SofaWare Technologies Remote HTTPS management for firewall devices running embedded Check Point FireWall-1 software	Unofficial
987	TCP		Microsoft Corporation Microsoft Windows SBS SharePoint	Unofficial
989	TCP	UDP	FTPS Protocol (data): FTP over TLS/SSL	Official
990	TCP	UDP	FTPS Protocol (control): FTP over TLS/SSL	Official
991	TCP	UDP	NAS (Netnews Administration System)	Official
992	TCP	UDP	TELNET protocol over TLS/SSL	Official
993	TCP		Internet Message Access Protocol over SSL (IMAPS)	Official
995	TCP		Post Office Protocol 3 over TLS/SSL (POP3S)	Official
999	TCP		ScimoreDB Database System	Unofficial
1002	TCP		Opsware agent (aka cogbot)	Unofficial
1010	TCP		ThinLinc Web Administration	Unofficial
1023	TCP	UDP	Reserved	Official

↧

STP – Spanning Tree Protocol

July 7, 2013, 11:41 pm

≫ Next: Information Security Interview Questions & Answers

≪ Previous: PORTS AND PROTOCOLS

STP - Spanning Tree Protocol

The 802.1D Spanning Tree Protocol (STP) standard was designed at a time when the recovery of connectivity after an outage within a minute or so was considered adequate performance. With the advent of Layer 3 switching in LAN environments, bridging now competes with routed solutions where protocols, such as Open Shortest Path First (OSPF) and Enhanced Interior Gateway Routing Protocol (EIGRP), are able to provide an alternate path in less time.

Cisco enhanced the original 802.1D specification with features such as Uplink Fast, Backbone Fast, and Port Fast to speed up the convergence time of a bridged network. The drawback is that these mechanisms are proprietary and need additional configuration.

Rapid Spanning Tree Protocol (RSTP; IEEE 802.1w) can be seen as an evolution of the 802.1D standard more than a revolution. The 802.1D terminology remains primarily the same. Most parameters have been left unchanged so users familiar with 802.1D can rapidly configure the new protocol comfortably. In most cases, RSTP performs better than proprietary extensions of Cisco without any additional configuration. 802.1w can also revert back to 802.1D in order to interoperate with legacy bridges on a per-port basis. This drops the benefits it introduces.

The new edition of the 802.1D standard, IEEE 802.1D-2004, incorporates IEEE 802.1t-2001 and IEEE 802.1w standards.

This document provides information about the enhancements added by RSTP to the previous 802.1D standard.

The 802.1D is defined in these five different port states:

1. disabled

2. listening

3. learning

4. blocking

5. forwarding

Port States

There are only three port states left in RSTP that correspond to the three possible operational states. The 802.1D disabled, blocking, and listening states are merged into a unique 802.1w discarding state.

STP (802.1D) Port State	RSTP (802.1w) Port State	Is Port Included in Active Topology?	Is Port Learning MAC Addresses?
Disabled	Discarding	No	No
Blocking	Discarding	No	No
Listening	Discarding	Yes	No
Learning	Learning	Yes	Yes
Forwarding	Forwarding	Yes	Yes

Root Port Roles

The port that receives the best BPDU on a bridge is the root port. This is the port that is the closest to the root bridge in terms of path cost. The STA elects a single root bridge in the whole bridged network (per-VLAN). The root bridge sends BPDUs that are more useful than the ones any other bridge sends. The root bridge is the only bridge in the network that does not have a root port. All other bridges receive BPDUs on at least one port.

Designated Port Role

A port is designated if it can send the best BPDU on the segment to which it is connected. 802.1D bridges link together different segments, such as Ethernet segments, to create a bridged domain. On a given segment, there can only be one path toward the root bridge. If there are two, there is a bridging loop in the network. All bridges connected to a given segment listen to the BPDUs of each and agree on the bridge that sends the best BPDU as the designated bridge for the segment. The port on that bridge that corresponds is the designated port for that segment.

Alternate and Backup Port Roles

These two port roles correspond to the blocking state of 802.1D. A blocked port is defined as not being the designated or root port. A blocked port receives a more useful BPDU than the one it sends out on its segment. Remember that a port absolutely needs to receive BPDUs in order to stay blocked. RSTP introduces these two roles for this purpose.

An alternate port receives more useful BPDUs from another bridge and is a port blocked. This is shown in this diagram:

A backup port receives more useful BPDUs from the same bridge it is on and is a port blocked. This is shown in this diagram:

This distinction is already made internally within 802.1D. This is essentially how Cisco UplinkFast functions. The rationale is that an alternate port provides an alternate path to the root bridge and therefore can replace the root port if it fails. Of course, a backup port provides redundant connectivity to the same segment and cannot guarantee an alternate connectivity to the root bridge. Therefore, it is excluded from the uplink group.

As a result, RSTP calculates the final topology for the spanning tree that uses the same criteria as 802.1D. There is absolutely no change in the way the different bridge and port priorities are used. The name blocking is used for the discarding state in Cisco implementation. CatOS releases 7.1 and later still display the listening and learning states. This gives even more information about a port than the IEEE standard requires. However, the new feature is now there is a difference between the role the protocol determines for a port and its current state. For example, it is now perfectly valid for a port to be designated and blocking at the same time. While this typically occurs for very short periods of time, it simply means that this port is in a transitory state towards the designated forwarding state.

New BPDU Format

Few changes have been introduced by RSTP to the BPDU format. Only two flags, Topology Change (TC) and TC Acknowledgment (TCA), are defined in 802.1D. However, RSTP now uses all six bits of the flag byte that remain in order to perform:

Encode the role and state of the port that originates the BPDU

Handle the proposal/agreement mechanism

Another important change is that the RSTP BPDU is now of type 2, version 2. The implication is that legacy bridges must drop this new BPDU. This property makes it easy for a 802.1w bridge to detect legacy bridges connected to it.

↧

Information Security Interview Questions & Answers

August 13, 2013, 1:22 am

≫ Next: Hosts Entry in Windows 7

≪ Previous: STP – Spanning Tree Protocol

1. What’s the difference between a router, a bridge, a hub and a switch?

Router join multiple networks together

Bridge connects a LAN to another LAN

Hub is a device to connect multiple computer together (single collision domain, broadcast)

Switch join multiple computer together (separate collision domain to each port, not broadcast)

2. Please explain how the SSL protocol works?

TLS/SSL authenticates and secures data transfers by using certificate-based authentication and symmetric encryption keys. A popular implementation of public-key encryption is the Secure Sockets Layer (SSL). SSL has become part of an overall security protocol known as Transport Layer Security (TLS).

3. What is a Syn Flood attack, and how to prevent it?

System floods with a series of TCP SYN packets. Each packets causes system to issue a SYN-ACK responses. Then system waits for ACK that follows the SYN+ACK (3 way handshake). Since attack never sends back ACK again entire system resources get fulled aka backlog queue. Once the queue is full system will ignored incoming request from legitimate users for services (http/mail etc)

How to Prevent it?
with a Firewall

Force SYN packets check
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Force Fragments packets check
iptables -A INPUT -f -j DROP

XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

4. Your network has been infected by malware. Please walk me through the process of cleaning up the environment.
Software that is intended to damage or disable computers and computer systems.

4.1. Restart windows and load in safe mode with F8

4.2. delete temporary files

4.3. scan with a malwarebytes

4.4. boot with linux and scan

5. What kind of authentication does AD use?

The two types of authentication are Mutual Authentication and NTLM. Mutual Authentication requires both the server and the client to identify them. NTLM only requires the client to be validated by the server.

6. What’s the difference between a Proxy and a Firewall?

Proxy acts as an intermediary for requests from clients seeking resources from other servers.

Firewall designed to permit or deny network transmissions based upon a set of rules

7. What is Cross-Site Scripting and how can it be prevented?

Cross Site Scripting (also known as XSS or CSS) is generally believed to be one of the most common application layer hacking techniques. Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data.

8. What’s the difference between symmetric and asymmetric encryption?
Symmetric encryption use secret key only
Asymmetric encryption use public key and private key

9. What’s the difference between encryption and hashing?

Encryption provide a 1:1 mapping between an arbitrary length input and and output. And they are always reversible.

Hash provide a mapping between an arbitrary length input, and a (usually) fixed length (or smaller length) output. It's always a many:1 mapping.

10. Why should I use server certificates on my e-commerce website?
it is responsibility to secure the information collected for business transactions.

11. What’s port scanning and how does it work?

A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.

12. Please explain how asymmetric encryption works?

asymmetric encryption, in which there are two related keys--a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.

13. Can a server certificate prevent SQL injection attacks against your system? Please explain.

SQL Injection attack is a form of attack that comes from user input that has not been checked to see that it is valid. The objective is to fool the database system into running malicious code that will reveal sensitive information or otherwise compromise the server.

Enabling a web application to authenticate and access the database requires a Secure Sockets Shell (SSH) client on the web server and a SSH server on the database server. SSH secures the connection by encrypting the data stream including passwords and other sensitive data and eliminating network level attacks.

14. Do you have a home lab? If so, how do you use it to perfect your skills.

15. What is a Man In The Middle attack?

The man-in-the-middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA) in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

16. Take me through the process of pen testing a system.

penetration test evaluates the security of a computer system or network by simulating an attack by a malicious user, commonly known as a hacker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack, the amount of business impact of a successful exploit, if discovered.

17. What is vulnerability test and how do you perform it?

A network vulnerability assessment evaluates all your systems as they are seen remotely from the Internet on a daily, weekly, or monthly basis. From there, potential security vulnerabilities and changes in the network that could be exploited by attackers are revealed before they are taken advantage of.

18. What are the latest threats you foresee for the near future?

19. How would you harden a Windows Server? What about a Linux Server?

20. What do you understand by layered security approach?

21. What’s the better approach setting up a firewall: dropping or rejecting unwanted packets and why?

22. Please detail 802.1x security vs. 802.11 security (don’t confuse the protocols).

The 802.1x standard offers an effective framework for authenticating and controlling user traffic to a protected network. 802.1x allows wireless services to have centralized authentication of wireless users or stations. 802.1x ties a protocol called Extensible Authentication Protocol (EAP) to the wireless local area network (WLAN) media.

23. What is stateful packet inspection?

Stateful Packet Inspection (SPI), every time a packet is sent out of the computer, the firewall keeps track of it. When a packet comes back to the firewall, the firewall can tell whether or not the in-bound packet is a reply to the packet that was sent out.

24. What is NAT and how does it work?

The network address translation (NAT) is a routing protocol component that, when enabled on a server running the Routing and Remote Access service, translates IPv4 addresses and TCP or UDP port numbers of request packets originating from a client on a private network, forwards the translated packets to a destination computer on the Internet (or other public network), and then performs reverse translation for response packets sent by the destination computer back to the client.

25. What is a buffer overflow?

In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory.

26. What are the most common application security flaws?

27. What is a false positive?

Managerial

1. What is ISO 27001 and why should a company adopt it?

2. Please describe step-by-step how you would prepare and perform an audit of any given system.

3. What is a “RISK”, how can it be measured and what actions can be taken to treat it?

4. Please describe the steps to be taken by a company implementing an ISMS framework

5. Why did you become (CISSP/CISA) certified?

6. During an audit, an interviewee is not disclosing the information being requested. How would you overcome this situation?

7. Within the PCI-DSS sphere, what is a compensating control?

8. Who is the ultimate responsible to classify a company’s information: the Infosec Team or the information owner?

9. Please describe the process of evaluating and analysing risks.

10. What actions would you take to change end user behavior towards InfoSec?

11. How do you ensure a secure software development? What are the best practices to be followed?

↧

Hosts Entry in Windows 7

November 8, 2013, 4:01 am

≫ Next: Penetration Testing

≪ Previous: Information Security Interview Questions & Answers

How to Resolve Domain Login Delay issue?

How to add hosts entry in windows 7?

1. Open notepad with “Run as Administrator” privileges

2. Open windows hosts file from c:\windows\system32\drivers\etc\hosts

5. Add a hosts entry at the end of file and save

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

# For example:

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.

#127.0.0.1 localhost

#::1 localhost

192.168.1.14mydomain.com.pk

↧

Penetration Testing

November 8, 2013, 4:16 am

≫ Next: AUDIT TRAILS IN LINUX

≪ Previous: Hosts Entry in Windows 7

Backtrack Penetration Testing:

What is Penetration Testing?

Penetration testing is the legal and authorized attempt to exploit a computer system with the intent of making a network or system more secure. The process includes scanning systems looking for weak spots, and launching attacks and prove that the system is vulnerable to attack from a real hacker.

Penetration Testing has several names:

Pen Testing
Ethical Hacking
White Hat Hacking

As you learn more about the art of hacking, you will see three terms used a lot. The white hats, the black hats, and the gray hats. The white hats are the “good guys”. They hack systems and networks so that the black hats (“bad guys”) can not. The black hats, also known as “crackers” are those that use hacking with malicious intent. They’re the ones that want to steal company secrets or your credit card information. For this reason, it is important for the white hats to know the tools and tricks of the black hats to stay a step ahead of them. As for the gray hats, they’re a combination of white and black. They often hack just because they can or like the challenge.

If you have been following the security world, you may have hear of Kali Linux, also know as the newest Backtrack. Any lessons here can be used in both Backtrack 5 and Kali. I will be writing an article about any differences between the two sometime soon.

Hacking Lab

Having a place to practice is necessary to learn how to hack. This is were your own home hacking lab comes in. It is a place where you can control your attacks without harming any other systems. We want out lab to be isolated and have no chance of escaping to targets we didn’t mean to attack.

Option 1:

Two computes
Ethernet Cable
A switch

Option 2:

Use Virtual Machines
You will need 3 or more virtual machines. One for backtrack, one for a windows machine, and one for another linux box. The linux box will act as out victim server: SSH, Webserver, FTP, etc.

Option 1 is in case you have older hardware that can’t handle running more than one VM. However, these days, modern hardware can handle them. Option 2 is the better choice because you only need one computer.

Steps in Penetration Testing

Reconnaissance
Scanning
Exploitation
Maintaining Access

Reconnaissance

Penetration Testing Reconnaissance

We want to begin a pen test by reviewing the target’s website. We may actually use a tool called HTT rack to make a page-by-page copy of the website. HTT rack is a free program that creates an identical, off-line copy of the target website. The copied website will include all the pages, links, pictures, and code from the original website; however, it will reside on your local computer. Using a website copying tool like HTT rack allows us to explore and thoroughly mine the website “off-line” without having to spend additional time traipsing around on the company’s web server.

To install HTTrack open the console and type:

sudo apt-get install httrack

Once it is installed, begin HTTrack by typing httrack in the console:

Next, name your project whatever you want. Select a path where you want to save the off-line copy. I just left it as default (/home/websites). Just hit enter to leave it as such. Then enter the site you want to copy. I am using my own site since I will not get in trouble for copying it. (Please do not copy my site… Thanks!).

Pick an action you want. If you want to copy the site, press 1 then enter. HTTrack has a few options for you to pick from including a proxy to help cover your tracks. I am just using the basics for demonstration. I recommend you use a proxy when doing a real pen test.

After HTTrack finishes, you will have a complete off-line copy of the target site which you can review for information.

The Harvester

The Harvester is a simple Python script written by Christian Martorella at Edge Security. This tool allows us to quickly catalog both e-mail addresses and subdomains that are directly related to the target system.

The Harvester can be used to search Google, and Bing for e-mails,

hosts, and subdomains. It can also search LinkedIn for user names.Often times you will find an email address, which could double as a login or user-name.

To use theHarvester first type in your console:

root@bt:~# cd /pentest/enumeration/theharvester

root@bt:~# ./theHarvester.py -d backtracktutorials.com -l 10 -b google.com

–d is used to specify the target domain.

A lowercase –l (that’s ‘L’ not a ’1′) is used to limit the number of results returned to us. In this case, the tool was instructed to return only 10 results. The –b is used to specify what public repository we want to search. We can choose among Google, Bing, PGP, or LinkedIn.

Scanning

The scanning process can be divided into three steps:

Determining if a system is active.
Port scanning the system.
Scanning the system for vulnerabilities.

Step 1 is the process of determining whether a target system is turned on and capable of communicating or interacting with our machine. This step is the least reliable and we should always continue with steps 2 and 3 regardless of the outcome of this test. Regardless, it is still important to conduct this step and make note of any machines that respond as alive.

Ports provide a way or location for software and networks to communicate with hardware like a computer. A port is a data connection that allows a computer to exchange information with other computers, software, or devices.

Common Ports and their Service

Port Number Service

20 FTP data transfer

21 FTP control

22 SSH

23 Telnet

25 SMTP (e-mail)

53 DNS

80 HTTP

443 HTTPS

Pings and Ping Sweeps

A ping is a special type of network packet called an ICMP packet. Pings work by sending specific types of network traffic, called ICMP Echo Request packets, to a specific interface on a computer or network device. If the device (and the attached network card) that received the ping packet is turned on and not restricted from responding, the receiving machine will respond back to the originating machine with an Echo Reply packet. Aside from telling us that a host is alive and accepting traffic, pings provide other valuable information including the total time it took for the packet to travel to the target and return.

Pings also report traffic loss that can be used to gauge the reliability of a network

connection.

Ping google.com with the count argument -c 4 to ping 4 times.

The simplest way to run a ping sweep is with a tool called FPing. FPing is built into Backtrack and is run from the terminal. The easiest way to run FPing is to open terminal window and type the following:

fping –a –g 172.16.45.1 172.16.45.254>hosts.txt

The “–a” argument is used to show only the live hosts in the output. This makes our final report much cleaner and easier to read. The “–g” is used to specify the range of IP addresses we want to sweep. You need to enter both the beginning and the ending IP addresses. In this example, we scanned all the IPs from 172.16.45.1 to 172.16.45.254. The “>” character is used to pipe the output to a file, and the hosts.txt is used to specify the name of the file our results will be saved to.

Port Scanning

There are a total of 65,536 (0–65,535) ports on every computer. Ports can be

either TCP or UDP depending on the service using the port. We scan computers to see what ports are in use or “open”. This gives us a better picture of the purpose of the machine, which gives us a better idea about how to attack the box.

TCP 3-Way Handshake

Before we go on, we first have to know how computers on a network communicate with each other. When two computers want to communicate, they go through a processes known as the 3-way handshake. The first computer A will send a synchronize packet to the other computer B. Then, if computer B is listening (has its port open), it will respond back to A with a synchronize-acknowledgement packet. Finally, computer A will send an acknowledgement packet to computer B, and the two computers will communicate as usual.

Using Nmap

It is the official guide to using the nmap scanner. What more can I say? This book will cover nmap much more in depth than this site.

When we conduct a port scan, Nmap will create a packet and send it to each designated port on the computer just like the 3-way handshake. The goal is to determine what kind of a response we get from the target ports.

To use Nmap, open up the terminal and type:

nmap -p- 192.168.56.101

Here I scan a Windows XP machine on my network.

The “-p-” tells nmap to scan all ports on a target machine. The 10.0.2.15 is the local ip of the target machine.

Vulnerability Scanning

To scan systems for vulnerabilities, we will use a vulnerability scanner. There are several good scanners available, but we will be focusing on Nessus. To install Nessus type:

root@bt:~# apt-get install nessus

Then, to access Nessus via the GUI go to:

Applications -> Backtrack -> Vulnerability Assessment -> Vulnerability Scanner -> Nessus -> Nessus Start.

Exploitation

Medusa

Medusa is a log-in brute forcer that attempts to gain access to remote services by guessing at the user password. Medusa is capable of attacking a large number of remote services including FTP, HTTP, MySQL, Telnet, VNC, Web Form, and more. In order to use Medusa, you need several pieces of information including the target IP address, a username or username list that you are attempting to log in as, a password or dictionary file containing multiple passwords to use when logging in, and the name of the service you are attempting to authenticate with.

Medusa comes installed on Backtrack 5. However, if you are using a different version of backtrack without Medusa type:

apt-get update

apt-get install medusa

When using online password crackers, the potential for success can be greatly

increased if you combine this attack with information gathered from reconnaissance and scanning. An example of this is when you find usernames, passwords, and email addresses. Programs like Medusa will take a username and password list and keep guessing until it uses all the passwords. Be aware that some remote access systems employ a password throttling technique that can limit the number of unsuccessful log-ins you are allowed. Your IP address can be blocked or the username can be locked out if you enter too many incorrect guesses.

Backtrack includes a few word lists that you can use for your brute forcing adventures. You can find one list at:

/pentest/passwords/wordlists/

In order to execute the brute-force attack, you open a terminal and type the following:

medusa –h target_ip –u username –P path_to_password_dictionary –M service_to_attack

“-h” is used to specify the IP address of the target host. The “-u” is used for a single username that Medusa will use to attempt log-ins. “-P” is used to specify an entire list containing multiple passwords. The “-P” needs to be followed by the actual location or path to the dictionary file. The “-M” switch is used to specify which service we want to attack.

↧

AUDIT TRAILS IN LINUX

November 8, 2013, 5:42 am

≫ Next: APACHE BENCHMARKING

≪ Previous: Penetration Testing

Audit Trails in Linux

/etc/audit.rules

auditctl - a command to assist controlling the kernel’s audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command:

ausearch - a command that can query the audit daemon logs based for events based on different search criteria.

aureport - a tool that produces summary reports of the audit system logs.

aureport --start 11/07/2012 --end 12/07/2012
aureport --successTo list all success login attempts
aureport --failedTo list all failed login stats
aureport -lTo list all login attempts

# yum install audit

# up2date install audit

Auto start auditd service on boot

# ntsysv

# chkconfig auditd on

# /etc/init.d/auditd start

Let us say you would like to audit a /etc/passwd file. You need to type command as follows:

# auditctl -w /etc/passwd -p war -k password-file

-w /etc/passwd : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd
-p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
-k password-file : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.

Add a watch on "/etc/shadow" with the arbitrary filterkey "shadow-file" that generates records for "reads, writes, executes, and appends" on "shadow"

# auditctl -w /etc/shadow -k shadow-file -p rwxa

syscall audit rule

The next rule suppresses auditing for mount syscall exits

# auditctl -a exit,never -S mount

File system audit rule

Add a watch "tmp" with a NULL filterkey that generates records "executes" on "/tmp" (good for a webserver)

# auditctl -w /tmp -p e -k webserver-watch-tmp

syscall audit rule using pid

To see all syscalls made by a program called sshd (pid - 1005):

# auditctl -a entry,always -S all -F pid=1005

How do I find out who changed or accessed a file /etc/passwd?

Use ausearch command as follows:

# ausearch -f /etc/passwd

# ausearch -f /etc/passwd | less

# ausearch -f /etc/passwd -i | less

Where,

-f /etc/passwd : Only search for this file
-i : Interpret numeric entities into text. For example, uid is converted to account name.

Output:

----
type=PATH msg=audit(03/16/2007 14:52:59.985:55) : name=/etc/passwd flags=follow,open inode=23087346 dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/16/2007 14:52:59.985:55) : cwd=/webroot/home/lighttpd
type=FS_INODE msg=audit(03/16/2007 14:52:59.985:55) : inode=23087346 inode_uid=root inode_gid=root inode_dev=08:02 inode_rdev=00:00
type=FS_WATCH msg=audit(03/16/2007 14:52:59.985:55) : watch_inode=23087346 watch=passwd filterkey=password-file perm=read,write,append perm_mask=read
type=SYSCALL msg=audit(03/16/2007 14:52:59.985:55) : arch=x86_64 syscall=open success=yes exit=3 a0=7fbffffcb4 a1=0 a2=2 a3=6171d0 items=1 pid=12551 auid=unknown(4294967295) uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd comm=grep exe=/bin/grep

Other useful examples

Search for events with date and time stamps. if the date is omitted, today is assumed. If the time is omitted, now is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date is 10/24/05. An example of time is 18:00:00.

# ausearch -ts today -k password-file

# ausearch -ts 3/12/07 -k password-file

Search for an event matching the given executable name using -x option. For example find out who has accessed /etc/passwd using rm command:

# ausearch -ts today -k password-file -x rm

# ausearch -ts 3/12/07 -k password-file -x rm

Search for an event with the given user name (UID). For example find out if user vivek (uid 506) try to open /etc/passwd:

# ausearch -ts today -k password-file -x rm -ui 506

# ausearch -k password-file -ui 506

↧

APACHE BENCHMARKING

November 8, 2013, 5:46 am

≫ Next: SWAP FILE OR SWAP SPACE

≪ Previous: AUDIT TRAILS IN LINUX

make a file in /var/www/html/

<!DOCTYPE HTML PUBLIC"-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Webserver test</title>
</head>
<body>
This is a webserver test page.
</body>
</html>

<?php

echo “Test Page”;

$ ab -n 1000 -c 5 http://192.168.0.1/index.html

-n 1000: ab will send 1000 number of requests to server 202.54.200.1 in order to perform for the benchmarking session
-c 5 : 5 is concurrency number i.e. ab will send 5 number of multiple requests to perform at a time to server 202.54.200.1

Use -k option that enables the HTTP KeepAlive feature using ab test tool.

$ ab -k -n 1000 -c 5 http://192.168.0.1/kpage.html

Use -e option that allows to write a comma separated value (CSV) file which contains for each percentage (from 1% to 100%) the time (in milliseconds) it took to serve that percentage of the requests:

$ ab -k -n 50000 -c 2 -e apache2r1.cvs http://192.168.0.1/snkpage.html

$ ab -k -n 50000 -c 2 -g apache2r3.txt http://192.168.0.1/snkpage.html

To check perl test.pl

#!/usr/bin/perl
$command=`perl -v`;$title = "Perl Version";
print"Content-type: text/html\n\n";print"<html><head><title>$title</title></head>\n<body>\n\n";
print"
<h1>$title</h1>
\n";print$command;
print"\n\n</body></html>";

$ ab -n 3000 -c 5 http://202.54.200.1/cgi-bin/test.pl

To test sql make file psql.php

<html>
<head><title>Php+MySQL</title></head>
<body><?php
  $link =mysql_connect("localhost", "USERNAME", "PASSWORD");
  mysql_select_db("DATABASE");

  $query = "SELECT * FROM TABLENAME";
  $result =mysql_query($query);

  while($line =mysql_fetch_array($result))
  {
     foreach($lineas$value)
      {
        print"$value\n";
     }
  }

   mysql_close($link);?>
</body>
</html>

$ ab -n 1000 -c 5 http://202.54.200.1/psql.php

↧

SWAP FILE OR SWAP SPACE

November 8, 2013, 6:02 am

≫ Next: LINUX BONDING (TEAMING, LOAD BALANCING)

≪ Previous: APACHE BENCHMARKING

SWAPFILE OR SWAPSPACE

Add a Swap File

dd if=/dev/zero of=/swapfile bs=1024 count=65536(6MB Swap file)

mkswap /swapfile

swapon /swapfile

/etc/fstab entry for permanent swapfile on boot time

/swapfile swap swap defaults 0 0

[root@svn ~]# cat /proc/swaps

Filename Type Size Used Priority

/dev/dm-1 partition 2031612 0 -1

/swapfile file 65532 0 -2

Remove the Swap File

swapoff -v /swapfile

remove it entry from /etc/fstab

rm /swapfile

[root@svn ~]# cat /proc/swaps

Filename Type Size Used Priority

/dev/dm-1 partition 2031612 0 -1

Add a Swap Space

lvm lvcreate VolGroup00 -n LogVol02 -L 256M
OR

lvcreate VolGroup00 -n LogVol02 -L 256M

mkswap /dev/VolGroup00/LogVol02

/etc/fstab file entry for boot time swap loading

/dev/VolGroup00/LogVol02 swap swap defaults 0 0

enable swap space

swapon -va

check swap space

cat /proc/swaps

free

Remove the Logical Volume for Swap

swapoff -v /dev/VolGroup00/LogVol02

lvm lvremove /dev/VolGroup00/LogVol02

remove the entry from /etc/fstab

cat /proc/swaps

free

Extend Swap on Logical Volume

Disable Swapping for that Logical Volume

swapoff -v /dev/VolGroup00/LogVol01

Resize the Logical Volume

lvm lvresize /dev/VolGroup00/LogVol01 -L +256M

Format the new Swap Space

mkswap /dev/VolGroup00/LogVol01

Enable the Extended Logical Volume

swapon -va

Test the Swap

cat /proc/swaps

free

Reduce Swap on a Logical Volume

swapoff -v /dev/VolGroup00/LogVol01

lvm lvreduce /dev/VolGroup00/LogVol01 -L -512M

mkswap /dev/VolGroup00/LogVol01

swapon -va

cat /proc/swaps

free

↧