After long holiday; i'm back at the office. One of the guy from ITHelpdesk asked me; why his newly installed freebsd 6.1 failed to start. So i tried to boot into his freebsd, but found that there was no kernel to boot to. What i did was; boot using freebsd 6.1 installer and using sysintall; i chose fixit option -> Live cd.
then i need to mount the harddisk.
#mkdir /tmp/bsd
#mount /dev/ad4s1 /tmp/bsd
From there i changed directory to /boot. There was no kernel folder in boot directory. Oh baby, who stole your soul(kernel)?
Then i decided to copy kernel folder in the installer cd ( Before that i already copy the kernel folder into thumb drive).
#mkdir /tmp/usb
#/tmp/bsd/sbin/mount_msdos /dev/da0s1 /tmp/usb
#cp -Rf /tmp/usb/kernel /tmp/bsd/boot
That's it. I restored back your soul ; but who gonna gimme back my soul, baby?
Disclaimer: I cannot be held responsible if this method failed to give any reader satisfaction, pleasure or may cause mayhem, self destruction, world domination or even human destruction that may lead to apocalypse.
Monday, October 30, 2006
Tuesday, October 17, 2006
ICMP L3retriever Ping
My IDS keep on alerting on this : ICMP L3retriever Ping. What the heck is this. Using google; i stumble upon this mailing list.
It active directory related - if you have Win XP systems/and possibly win2000
as well, you will have these. You might
want to examine your rule and/or look and see if the "computer browser" service
is enabled on non-domain controllers
(i.e. all the workstations, etc).
Based on this answer; i have to stop and disable almost 100 machine from running Computer Browser. What i did was:
runas /user:domainname\userid cmd
net view | findstr "^\\\\" >hostlist
for %i in (hostlist) do start /wait psexec %i cmd /C "net stop browser"
for %i in (hostlist) do start /wait sc %i config Browser start= disabled
Let see what will happen.
It active directory related - if you have Win XP systems/and possibly win2000
as well, you will have these. You might
want to examine your rule and/or look and see if the "computer browser" service
is enabled on non-domain controllers
(i.e. all the workstations, etc).
Based on this answer; i have to stop and disable almost 100 machine from running Computer Browser. What i did was:
runas /user:domainname\userid cmd
net view | findstr "^\\\\" >hostlist
for %i in (hostlist) do start /wait psexec %i cmd /C "net stop browser"
for %i in (hostlist) do start /wait sc %i config Browser start= disabled
Let see what will happen.
Wednesday, October 11, 2006
PHP Syslog NG
PHP SyslogNG is web interface query for syslog data that been stored in mysql database. It's lack treshold capabilities and alerting system; but hey; it's got what i need. The current implementation is just like this:
I export any available syslog including Cisco router, windows event viewer (using evtsys), *nix family into a "so called" server that run Syslog NG + Mysql + PhpSyslogNG. The latest release is 2.8 (at the time of writing); come with several enhancement including user access(control user login and session ID) and cache search (to help speeding database query). When upgrading from 2.5 to 2.8 i need to add a user table and also make adjustment in syslog-ng configuration by combining time and date fielf into one field (datetime).
destination d_mysql {
pipe("/tmp/mysql.pipe"
template("INSERT INTO logs (host, facility, priority, level, tag, datetime,
program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL','$TAG',
'$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));
};
I also have to add another field which is datetime into syslog.logs . Everything went smooth until when I add another host into the system. The system did not update the new hosts information. I just wonder why. It might be the network problem, system problem, firewall blocking or natural disaster! Running tcpdump #tcpdump -i ifwhateva host the.ip.of.newhost. The Tcpdump results show; there is data coming in from the.ip.of.newhost but there is still no update from Php-syslog-NG. Hmmm... i think i need to clear the search_cache tables in the syslog.search_cache. $mysql -u root -p syslog -e "truncate table `search_cache`" should do the job.
I export any available syslog including Cisco router, windows event viewer (using evtsys), *nix family into a "so called" server that run Syslog NG + Mysql + PhpSyslogNG. The latest release is 2.8 (at the time of writing); come with several enhancement including user access(control user login and session ID) and cache search (to help speeding database query). When upgrading from 2.5 to 2.8 i need to add a user table and also make adjustment in syslog-ng configuration by combining time and date fielf into one field (datetime).
destination d_mysql {
pipe("/tmp/mysql.pipe"
template("INSERT INTO logs (host, facility, priority, level, tag, datetime,
program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL','$TAG',
'$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));
};
I also have to add another field which is datetime into syslog.logs . Everything went smooth until when I add another host into the system. The system did not update the new hosts information. I just wonder why. It might be the network problem, system problem, firewall blocking or natural disaster! Running tcpdump #tcpdump -i ifwhateva host the.ip.of.newhost. The Tcpdump results show; there is data coming in from the.ip.of.newhost but there is still no update from Php-syslog-NG. Hmmm... i think i need to clear the search_cache tables in the syslog.search_cache. $mysql -u root -p syslog -e "truncate table `search_cache`" should do the job.
Sunday, October 08, 2006
New Firewall, come with headache + loads of funs!
I have to setup several firewalls for my offside data center. So we bought this 1U machine,NSA; that come with 4 network cards and one extra PCI slot (WAN,LAN,DMZ,CARP). I planned to setup 2 firewalls powered by OpenBSD PF and using CARP function for High Avaibility. But during the implementation process, we made some adjustment and settle for PFSense without CARP(PFsense do have CARP capabilities) . Below are the summary of installation process.
1. Take out the harddisk from the NSA
2. Connect to windows machine using IDE-USB cable.
3. write image to harddisk -> physdiskwrite -u image ( follow the prompted question).
4. Put the hardisk back into NSA.
5. Turn on the NSA and configure the interface ip using null modem cable F/F( normal config like baud rate 9600).
6. After configuring through console, you can start browsing to PFSense web base configurator.
7. The default login is admin:pfsense
8. What i did was, turn on bridge mode firewall by bridging WAN interface with OPT1(named as bridge)
9. LAN interface is used for management.
10. The rules is quite simple though (actually not for me, since i'm kind of lazy to read the PFSense RTFM). Allow everything on WAN interface, allow several thing on OPT1(Bridge) and the last rule is to disable all(deny explicit) on OPT1 interface.
11. Thats it.. Very simple process but took my whole weekend to setup the firewall due to my laziness in reading the RTFM.
Some good referance to read:
http://www.pfsense.com/index.php?id=36
http://www.benzedrine.cx/pf.html
Saturday, September 09, 2006
Automated log processing
I have to process FW1 log alert on daily basis. I' getting tired with dashboard log alert that comes together with FW1. And the worst thing is; for a decent reporting; extra amount of money needed to buy Eventia log reporting module. I end up using fwlogsum a tool written in perl. Since i need to process on windows machine; and i'm totally fuck up with windows script; i decided to use perl as automated tools equipped with the MIME::Lite and NET::SMTP. Here's the script.
use Time::Local;
use MIME::Lite;
use Net::SMTP;
#Global variable
$base="X:/Where i work/";
$logdir="X:/New log dir/";
$rawlogdir="X:/Original log directory/";
$appen="_xyzs.log";
$today = timelocal(localtime);
@yesterday = localtime ($today - (24*60*60));
$d=@yesterday[3];
$m=@yesterday[4]+1;
$year=@yesterday[5]+1900;
#formatting date
if ( $d <>
$day = "0$d";
}else{
$day = $d;
}
if ( $m <>
$month = "0$m";
}else{
$month = $m;
}
#New file created
$LEAfile ="$rawlogdir$year-$month-$day$appen";
$exportfile="$logdir$year$month$day.log";
@filelist=("$base$year$month$day-accept.html", "$base$year$month$day-drop.html" ,"$base$year$month$day-attack.html");
#Processing file
`fwm logexport -d ";" -n -p -i "$LEAfile" -o "$logdir$year$month$day.log"`;
`perl "$base"fwlogsum -w -ra -S -l "$exportfile" -o "@filelist[0]" -H "Accepted Traffics for $day-$month-$year" -v`;
`perl "$base"fwlogsum -w -rx -S -l "$exportfile" -o "@filelist[1]" -H "Drop Traffics for $day-$month-$year" -v`;
`perl "$base"fwlogsum -w -rt -S -l "$exportfile" -o "@filelist[2]" -H "Attack Traffics for $day-$month-$year" -v`;
#Sending the report; reference code to Martin Zahn / 05.01.2003
my $from_address = 'fwreport@pencacaimachine.relaks.com.au';
my $to_address = 'my_master@relaks.com.au';
my $mail_host = '172.16.100.1';
### Adjust subject and body message
my $subject = "Firewall report for $day-$month-$year";
my $message_body = "Please Refer to attachment\n";
### Filename
my $my_report1 = "$base$year$month$day-accept.html";
my $your_report1 = "$year$month$day-accept.html";
my $my_report2 = "$base$year$month$day-drop.html";
my $your_report2 = "$year$month$day-drop.html";
my $my_report3 = "$base$year$month$day-attack.html";
my $your_report3 = "$year$month$day-attack.html";
### Create the multipart container
$msg = MIME::Lite->new (
From => $from_address,
To => $to_address,
Subject => $subject,
Type =>'multipart/mixed'
) or die "Error creating multipart container: $!\n";
### Add the text message part
$msg->attach (
Type => 'TEXT',
Data => $message_body
) or die "Error adding the text message part: $!\n";
### Add the Report 1
$msg->attach (
Type => 'text/plain',
Path => "$my_report1",
Filename => "$your_report1",
Disposition => 'attachment'
) or die "Error adding $file_html: $!\n";
### Add the Report 2
$msg->attach (
Type => 'text/plain',
Path => "$my_report2",
Filename => "$your_report2",
Disposition => 'attachment'
) or die "Error adding $file_html: $!\n";
### Add the Report 3
$msg->attach (
Type => 'text/plain',
Path => $my_report3,
Filename => $your_report3,
Disposition => 'attachment'
) or die "Error adding $file_html: $!\n";
### Send the Message
MIME::Lite->send('smtp', $mail_host, Timeout=>60);
$msg->send;
###Clean up Report
unlink (@filelist);
So now; i only have to check my mailbox for the log report summary. Only when there is something wierd on the reporting; then only i turn to FW1 dashboard.
use Time::Local;
use MIME::Lite;
use Net::SMTP;
#Global variable
$base="X:/Where i work/";
$logdir="X:/New log dir/";
$rawlogdir="X:/Original log directory/";
$appen="_xyzs.log";
$today = timelocal(localtime);
@yesterday = localtime ($today - (24*60*60));
$d=@yesterday[3];
$m=@yesterday[4]+1;
$year=@yesterday[5]+1900;
#formatting date
if ( $d <>
$day = "0$d";
}else{
$day = $d;
}
if ( $m <>
$month = "0$m";
}else{
$month = $m;
}
#New file created
$LEAfile ="$rawlogdir$year-$month-$day$appen";
$exportfile="$logdir$year$month$day.log";
@filelist=("$base$year$month$day-accept.html", "$base$year$month$day-drop.html" ,"$base$year$month$day-attack.html");
#Processing file
`fwm logexport -d ";" -n -p -i "$LEAfile" -o "$logdir$year$month$day.log"`;
`perl "$base"fwlogsum -w -ra -S -l "$exportfile" -o "@filelist[0]" -H "Accepted Traffics for $day-$month-$year" -v`;
`perl "$base"fwlogsum -w -rx -S -l "$exportfile" -o "@filelist[1]" -H "Drop Traffics for $day-$month-$year" -v`;
`perl "$base"fwlogsum -w -rt -S -l "$exportfile" -o "@filelist[2]" -H "Attack Traffics for $day-$month-$year" -v`;
#Sending the report; reference code to Martin Zahn / 05.01.2003
my $from_address = 'fwreport@pencacaimachine.relaks.com.au';
my $to_address = 'my_master@relaks.com.au';
my $mail_host = '172.16.100.1';
### Adjust subject and body message
my $subject = "Firewall report for $day-$month-$year";
my $message_body = "Please Refer to attachment\n";
### Filename
my $my_report1 = "$base$year$month$day-accept.html";
my $your_report1 = "$year$month$day-accept.html";
my $my_report2 = "$base$year$month$day-drop.html";
my $your_report2 = "$year$month$day-drop.html";
my $my_report3 = "$base$year$month$day-attack.html";
my $your_report3 = "$year$month$day-attack.html";
### Create the multipart container
$msg = MIME::Lite->new (
From => $from_address,
To => $to_address,
Subject => $subject,
Type =>'multipart/mixed'
) or die "Error creating multipart container: $!\n";
### Add the text message part
$msg->attach (
Type => 'TEXT',
Data => $message_body
) or die "Error adding the text message part: $!\n";
### Add the Report 1
$msg->attach (
Type => 'text/plain',
Path => "$my_report1",
Filename => "$your_report1",
Disposition => 'attachment'
) or die "Error adding $file_html: $!\n";
### Add the Report 2
$msg->attach (
Type => 'text/plain',
Path => "$my_report2",
Filename => "$your_report2",
Disposition => 'attachment'
) or die "Error adding $file_html: $!\n";
### Add the Report 3
$msg->attach (
Type => 'text/plain',
Path => $my_report3,
Filename => $your_report3,
Disposition => 'attachment'
) or die "Error adding $file_html: $!\n";
### Send the Message
MIME::Lite->send('smtp', $mail_host, Timeout=>60);
$msg->send;
###Clean up Report
unlink (@filelist);
So now; i only have to check my mailbox for the log report summary. Only when there is something wierd on the reporting; then only i turn to FW1 dashboard.
Thursday, February 23, 2006
Ntop with Netflow v 5
I need sometools to monitor my LAN. At first, i used Ntop with port span. Bad thing about this, my ntop server's cpu, seemed like in the middle of processing/cracking 2048 RSA/3DES/Blowjobfish encryption. SO decided to enable netflow plugins in ntop. It's only need 3 steps to enable netflow on cisco router.
1) Select which interface to enable netflow
2) point netflow to listener ip
3) define version of netflow. walla..
(config)#conf t
(config)#int fa 0/0
(config-if)# ip route-cache flow
(config-if)#exit
(config)#ip flow-export destination 1.1.1.1 9995
(config)#ip flow-export version 5
(config)#exit
To test netflow configuration #show ip flow export
Theb run the ntop.
#ntop -d -s -b -w 1.1.1.1:68532
Since i have multiple router/switches, i need to listen for multiple netflow traffic. I need to config netflow plugin to listen on multiple port.So, defining another port in netflow configuration for different switch will do the tricks.
By the way, ntop is a very nice tool written by Luca Deri. If you're looking for netflow solution and happen to have extra money, go and buy this tool => nbox
1) Select which interface to enable netflow
2) point netflow to listener ip
3) define version of netflow. walla..
(config)#conf t
(config)#int fa 0/0
(config-if)# ip route-cache flow
(config-if)#exit
(config)#ip flow-export destination 1.1.1.1 9995
(config)#ip flow-export version 5
(config)#exit
To test netflow configuration #show ip flow export
Theb run the ntop.
#ntop -d -s -b -w 1.1.1.1:68532
Since i have multiple router/switches, i need to listen for multiple netflow traffic. I need to config netflow plugin to listen on multiple port.So, defining another port in netflow configuration for different switch will do the tricks.
By the way, ntop is a very nice tool written by Luca Deri. If you're looking for netflow solution and happen to have extra money, go and buy this tool => nbox
Saturday, February 18, 2006
The attack of the Worms??
Over the weekend, i decided to open port 80 on the firewall. I thought there will be no connection to my IP, but to my surprise, there is alot of attempt. Is it worm? Or some preak who just got to know what port scanner is all about. Here's the snapshot.
Saturday, February 11, 2006
Monitoring system in 3 hours?
yeah .. i just managed to install a new monitoring system in 3 hours, using FreeBSD 6.0, PHP4.x, Mysql 4.x, Apache 1.3.x, BASE, SNORT2.3.x,Cacti 0.8x.
Here's are the step taken.
1) Install FreeBSD 6.0 with minimum packages
2) After configuring the new installed FreeBSD 6.0, update ports using cvsup.
here's the cvs-supfile
*default host=cvsup.jp.freebsd.org
*default base=/usr/local/etc/cvsup
*default prefix=/usr
*default tag=RELENG_6_0_0_RELEASE
*default release=cvs delete use-rel-suffix compress
# src-all //i dont want to update the source so i comment it out
ports-all tag=.
#doc-all tag=. //same goes to doc
3) since my network is firewalled, i need to tunnel cvsup through ssh.
4)after a while (depend on your internet connection speed), updating will finish.
5) then i install mysql41-client and server using ports. Before perform mysql installation, makesure your hostname is localhost. After finished installing;
mysql_install_db
chown -R mysql /var/db/mysql/
chgrp -R mysql /var/db/mysql/
mysqld_safe & #now mysql running in the background.
6) Then change the password for the root
mysqladmin -u root password new-password
7)Installing apache1.3.x using ports also. Then configure it.
You just need to change entry with ServerName in httpd.conf before fire up your apache.
8)Installing php4.x using port.
9)Installing snort 2.3.x using port. Then configure snort.conf
define HOMENET and log type.
snort -T /usr/local/etc/snort.conf -i fxp0 #to test snort config -> off course not working
10) Import snort data schema into mysql
mysqladmin -u root -p create snort
mysql -u root -p snort <>GRANT ALL ON snort.* TO snortman@localhost IDENTIFIED BY 'shithead';
mysql>flush privileges;
mysql>quit
12) Install BASE also using port. Then browse to http://my-ip/base/; do some configurtion there and that.
13) Run snort as daemon and monitor from BASE.
snort -D -i fxp0
14)Time for cacti. It's very straight forward, no thinking needed, only balls required! Install everything using port.
15) Configure database for cacti
mysqladmin -u root -p create cacti
mysql -u root -p
mysql> GRANT ALL ON cacti.* TO www@localhost IDENTIFIED BY 'shitagain';
mysql>flush privileges;
mysql>quit
16) Configure /cacti_path/cacti/include/config.php
17) Browse to cacti http://my-ip/cacti/
18) Done.
Let teh system running over the weekend to see how's it going to perform. Before this, i used OBSD 3.7 and i have a lot of trouble keeping mysqld running. Let see how my new FreeBSD system perform..?
Here's are the step taken.
1) Install FreeBSD 6.0 with minimum packages
2) After configuring the new installed FreeBSD 6.0, update ports using cvsup.
here's the cvs-supfile
*default host=cvsup.jp.freebsd.org
*default base=/usr/local/etc/cvsup
*default prefix=/usr
*default tag=RELENG_6_0_0_RELEASE
*default release=cvs delete use-rel-suffix compress
# src-all //i dont want to update the source so i comment it out
ports-all tag=.
#doc-all tag=. //same goes to doc
3) since my network is firewalled, i need to tunnel cvsup through ssh.
ssh -L 5999:cvsup.jp.freebsd.org:5999 admin@p0rn.org
cvsup -g -L2 -h localhost
cvsup -g -L2 -h localhost
4)after a while (depend on your internet connection speed), updating will finish.
5) then i install mysql41-client and server using ports. Before perform mysql installation, makesure your hostname is localhost. After finished installing;
mysql_install_db
chown -R mysql /var/db/mysql/
chgrp -R mysql /var/db/mysql/
mysqld_safe & #now mysql running in the background.
6) Then change the password for the root
mysqladmin -u root password new-password
7)Installing apache1.3.x using ports also. Then configure it.
You just need to change entry with ServerName in httpd.conf before fire up your apache.
8)Installing php4.x using port.
9)Installing snort 2.3.x using port. Then configure snort.conf
define HOMENET and log type.
snort -T /usr/local/etc/snort.conf -i fxp0 #to test snort config -> off course not working
10) Import snort data schema into mysql
mysqladmin -u root -p create snort
mysql -u root -p snort <>GRANT ALL ON snort.* TO snortman@localhost IDENTIFIED BY 'shithead';
mysql>flush privileges;
mysql>quit
12) Install BASE also using port. Then browse to http://my-ip/base/; do some configurtion there and that.
13) Run snort as daemon and monitor from BASE.
snort -D -i fxp0
14)Time for cacti. It's very straight forward, no thinking needed, only balls required! Install everything using port.
15) Configure database for cacti
mysqladmin -u root -p create cacti
mysql -u root -p
mysql> GRANT ALL ON cacti.* TO www@localhost IDENTIFIED BY 'shitagain';
mysql>flush privileges;
mysql>quit
16) Configure /cacti_path/cacti/include/config.php
17) Browse to cacti http://my-ip/cacti/
18) Done.
Let teh system running over the weekend to see how's it going to perform. Before this, i used OBSD 3.7 and i have a lot of trouble keeping mysqld running. Let see how my new FreeBSD system perform..?
Friday, January 06, 2006
Aku perlukan hobi baru
Aku perlukan hobi baru... Menjahit baju? Menanam Pokok? Membela ayam? WTF... Bela ayam kat apartment..
Aku mungkin boleh menjadi pemain catur terbilang dan gemilang sekiranya aku limitkan masa mengadap pc dan mula bermain catur. Demmit, catur suck big time..
Aku rasa aku akan mencuba hobi baru, antaranya:
1) Martial Art (Masuk Kelas Aikido takpun boxing)
2) Menembak (Kat mane ade kelas boleh pegang air gun dan di khaskan utk orang yang mata agak rabun)
3) Berenang ( Ya, berenang.. lagipun aku tak reti berenang)
4) Bermain Muzik ( Mungkin aku akan mendaftarkan diri ke kelas classical muzik mahupun jazz. Aku nak belajar main gitar/drum.)
5) Mengembara ( Kat hulu/hutan ade internet tak?)
Mungkin duduk di depan pc nie lagi le jawabnye...
Aku mungkin boleh menjadi pemain catur terbilang dan gemilang sekiranya aku limitkan masa mengadap pc dan mula bermain catur. Demmit, catur suck big time..
Aku rasa aku akan mencuba hobi baru, antaranya:
1) Martial Art (Masuk Kelas Aikido takpun boxing)
2) Menembak (Kat mane ade kelas boleh pegang air gun dan di khaskan utk orang yang mata agak rabun)
3) Berenang ( Ya, berenang.. lagipun aku tak reti berenang)
4) Bermain Muzik ( Mungkin aku akan mendaftarkan diri ke kelas classical muzik mahupun jazz. Aku nak belajar main gitar/drum.)
5) Mengembara ( Kat hulu/hutan ade internet tak?)
Mungkin duduk di depan pc nie lagi le jawabnye...
Sunday, January 01, 2006
2006
Tahun baru lagi. Kali ini 2006 pulak... Tiap2 kali tiba tahun baru, macam2 lah azam yang keluar. Ya betul... azam... tapi manakan berjaya tanpa usaha demmit!!!
Subscribe to:
Posts (Atom)