JW Network Consulting » Consulting

The Importance of Backups and the SMB

Jason — Wed, 14 Oct 2009 03:37:57 +0000

Today we had a really bad thing that happened, but it ended up not mattering at all. One of my clients was busy doing some work and accidentally deleted a directory with about 1 GB of data in it. I got a very worried email from them and if it could be restored. Fortunately, we had recently implemented a new backup system and it was running very well. I logged into the system, found the needed directory in the last backup to Mozy and kicked off the restore. 40 minutes later, they were back to using the files that had gone MIA.

Why did this not matter? Because we had good backups in place. The system syncs nightly to Mozy’s storage systems and I get daily updates on how things went. When I got the email telling me about the issue I knew right away where the data would be and how to get it back. No running around for tapes. No hoping that last job had actually worked.

In the past, backups could cost quite a bit. Tape drives, backup software and tapes don’t come cheap when you are a small or medium sized business (SMB). You could easily drop $5,000 or more on a single tape drive, some software and enough tapes to keep it going for a while. Then you have to switch tapes daily and all that other fun stuff. As a result a lot of SMBs don’t have the backups they need and we all need them. Accidents happen.

The good news is that backups don’t have to cost you a ton of capital. How much did this wonderful peace of mind cost my client? For this server, the grand total is less than $10 per month. How long did it take to setup? About 15 minutes. How long and expensive could it have been if the data was completely gone?

Technorati Tags: backups, business continuity, restore data

Speaking at the 2009 Utah Open Source Conference

Jason — Tue, 15 Sep 2009 16:53:32 +0000

Last month I sent the Utah Open Source Conference a proposal for a presentation on “Building an Open Source Security Tool Set“. Presentations are voted on by the registered attendees and the other folks who have submitted a presentation. When I was making my votes, I saw that there were a lot of great abstracts. In fact, there were a lot of abstracts period. Because of this, I really didn’t expect to get selected. Turns out I was wrong!

I received word on September 3rd that my presentation was accepted and that I will be speaking at the Utah Open Source Conference. The current time scheduled is on October 9th at 12:00 PM. Here is my description of the proposal.

If you want to build out a kit of commercial security tools, bring a big bank account to pay for it. Not only that, you’ll find that there are still gaps in your setup that need to be filled. What do you do if you have a finite budget (who doesn’t?) or have no budget? Does testing your security require a fat wallet? Fortunately, no.

In this presentation I’ll go over a number of open source security tools, what they do and where you can get them. Individual tools will be discussed as well as Live CDs which have a collection of the tools all together.

I’m very excited to have been selected to give this presentation. It should be a lot of fun and I hope it will be useful to those in attendance. I’m trying to have some goodies for the attendees, but I’m not sure how many I’ll need. We will see.

You can register for the conference using the UTOS 2009 banner on the right or you can use the link below. Hope to see you there!

http://register.utosc.com/utoscreg/

Technorati Tags: open source, security tool, speaking, tech conference

Spyware Removal – Pain followed by success

Jason — Fri, 20 Mar 2009 07:22:31 +0000

I was working on a PC for someone that had some real issues with spyware on his system. The main symptom that he found was that his computer would hang after boot up. The mouse could move around, but you couldn’t do anything with the Start Menu, desktop icons, or the keyboard. My task was to get the system responsive again and do my best to remove what was causing it.

At first things didn’t go well. I was able to work around the boot up problem by starting into Safe Mode. When I copied over the installer for Malwarebytes I found that the program wouldn’t execute. I used Autoruns from Sysinternals to see what was firing up on boot and removed several things that shouldn’t have been there. I rebooted into Windows normally and I could use the system again. However, IE started popping up and it was attempting to connect to a bogus URL. Better, but not great. I tried to run the install for Malwarebytes again. No luck. Back into safe mode, more clean up, back into normal mode and the desktop hangs again. Worse luck.

At this point none of the removal tools I have are working, removing things from startup aren’t working and I’m getting really frustrated. It was late, so I tried again the next day. I started looking at doing a repair installation of Windows XP to work around the issue, but due to problems with RAID card drivers the effort failed. I went back to looking for a way to deal with the system without the repair install.

The first sign of progress was when I renamed the installer for Malwarebytes. I executed the renamed file and the installer fired right up! Everything went fine until the actual executable for Malwarebytes started. Then the installer froze and had to be killed. I did some searching for the symptoms and found a tool called ComboFix. I did some quick research and the tool appeared to be legitimate. I booted into Safe Mode and renamed the exectable for ComboFix.exe to 1ComboFix.exe. Execution of the renamed file took off and it started scanning.

Fairly quickly it found some stuff that it deemed Rootkits. Joy. It listed them as:

c:\windows\system32\drivers\UACrjnkvrnp.sys
c:\windows\system32\UACqfuirjuv.dll
c:\windows\system32\UACtfbsky.dat
c:\windows\system32\UACwsnlkjjbj.dll
c:\windows\system32\UACalotomap.dll
c:\windows\system32\UACqhhmqhcl.dll
c:\windows\system32\UACogswwuya.log
c:\windows\system32\UACogixetrb.log
c:\windows\system32\UACbftmxewp.log
c:\windows\system32\UACpxtfqxqm.dll

It rebooted, removed the files and then came up in regular mode. It continued scanning and removed more files flagged as spyware. One more reboot and the process completed. I fired up the Malwarebytes installer and had no problems during install. I ran a full scan of the system and it found another 23 items. Most of these were registry entries, but some were actual files that looked pretty suspect. One more reboot to complete the scan was needed. The machine came up normally and cleanly. I ran another scan and it came up clean. I did several more reboots, started Internet Explorer, and ran several other programs. Everything looked great and the system was responding well. It looks like a happy ending for this computer.

Do I completely trust that everything was removed and the system is 100% clean again? No, I don’t. There was way too much installed on it to make me feel any confidence about that. However, ComboFix and Malwarebytes took a machine that couldn’t even finish start up and got it back up and running again. So while I have my reservations, I can at least have a better chance of giving a customer a reasonably responsive system and explain the risks as they now are. And I found a new tool that seems to have done a great job. That’s never a bad thing.

Technorati Tags: combofix, malwarebytes, spyware removal

New look for the web site!

Jason — Wed, 18 Mar 2009 00:56:06 +0000

Tonight the new look for the website went live! Major thanks to Denise Smith for her work on the graphics. Everything she’s done for the business has come out great looking. I’m really excited to have this done. I hope you all enjoy it as well.

Technorati Tags: new website

Signing SSL Certificate Requests

Jason — Sun, 15 Feb 2009 00:31:56 +0000

A while back I wrote a post on how to create a Certificate Authority on Linux, import the CA certificate into Active Directory and use it as an internal CA for your organization. Then I went silent for a while on the subject. Here is the follow up on how to sign SSL certs.

We are going to be generating the certificate for an IIS web server. Open IIS manager and drill down to your website. Select the properties of the website that needs the certificate, then go to the Directory Security tab. You should see some options about SSL certificates towards the bottom of the window. Click the Server Certificate button. The default option is to create a certificate request. Click next and follow the prompts.

This part is very important. You will need to provide the domain name of your website as the common name. If you put anything other than your domain name into the common name field, your users will receive a warning that there is a problem with the SSL certificate.

Once that is done and past the wizard should prompt you to create a text file to save the file as. Usually this is c:\certreq.txt, so change it to something to indicate which domain name it is from.

Next copy the contents of this text file to your Linux or BSD box. The default SSL location is /etc/ssl on Ubuntu Linux. Save this contents of your certificate request to something like “www.mydomain.com.csr”.

With the CSR on the certificate authority server, you’re ready to go. Take a look and see where your CA certificate and key are at. In this example, the CA certificate is in /etc/ssl/cacert.pem. The private key is in /etc/ssl/private/cakey.pem.

root@hostname:/etc/ssl# openssl x509 -req -days 365 -in www.mydomain.com.csr -CA /etc/ssl/cacert.pem -CAkey /etc/ssl/private/cakey.pem -CAcreateserial -out /etc/ssl/www.mydomain.com.cer

Signature ok

subject=/C=US/ST=Utah/L=Layton/O=JW Network Consulting/OU=Technology/CN=www.mydomain.com

Getting CA Private Key

Enter pass phrase for /etc/ssl/private/cakey.pem:

root@hostname:/etc/ssl#

You now have your signed SSL certificate, /etc/ssl/www.mydomain.com.cer. Copy the contents of the file to a text file on your IIS server. Change the extension to .cer so IIS knows what to do with it. Open the properties of your website and go to the Directory Security tab. Click the Server Certificate button again and process the pending certificate request. Point it to your signed SSL certificate, C:\www.mydomain.com.cer, and finish the wizard off.

That’s it.

Technorati Tags: bsd, IIS, linux, sign certificate, ssl

FreeBSD 7.0 Build

Jason — Mon, 13 Oct 2008 02:43:07 +0000

Introduction

This document contains basic instructions on building a system using FreeBSD 7.0. This covers security standards, configuration options, networking configuration, etc. The information used in this example probably doesn’t match your environment or hardware exactly. Verify your network, hardware and other internal system build standards before using the information contained here. Use this document at your own risk.

This document assumes technical knowledge of FreeBSD, especially in regards to kernel configuration (which is highly dependant on server hardware, application usage, and expected functionality.)

Before You Begin

Make sure that you have the following items completed and available for the installation:

FreeBSD 7.0-RELEASE disc
Hardware has been updated with the correct configuration for its type (see hardware preparation documentation specific for the platform and model.)
Obtained server name and IP addresses

Operating System Installation

Boot from FreeBSD 7.0-RELEASE installation media. Accept the Boot Loader default when it is loaded.
Country Selection – United States
Choose “Custom” under the Main Installation Screen
1. Select “Partition”
  1. Select free space and choose “A” to use the entire disk. You will need to allocate disk differently if you have particular storage requirements, such as direct attached storage.
  2. Set the partition as bootable with “S”
  3. Select “Q” to finish
When prompted on the Boot Manager Screen, select “Standard”
Select “Label” to begin assigning and labeling disk slices
1. The following is an example. I tend to make /var, /home and /opt separate slices so that if something fills that volume up, it doesn’t cause problems with the rest of the system. Customize this as you need to.
2. As an example, use the following partition scheme:
  - swap – 512 MB
  - / – 1024 MB
  - /usr – 8192 MB (This can be more if needed, but I use 8192MB as a minimum)
  - /var – 1024 MB (Running a large MySQL database will require an increase here)
  - /tmp – 512 MB
  - /home – 4096 MB
  - /opt – What ever is left. I generally push large databases, applications or other data here so it doesn’t interfere with normal system operations.
3. Hit “Q” to finish
Choose “Distributions” under the Main Installation Screen
1. Select only the following distributions:
  - Minimal
  - Custom
  - base
  - kernels
  - dict
  - doc
  - info
  - man
  - catman
  - proflibs
  - src – ALL
  - ports
  - local
2. Back out to the Main Installation Screen
Select “Media”
1. Choose “CD-ROM”
Select “Commit” to finalize these settings
1. Verify the settings by choosing “Yes”
2. The operating system will now be installed from CD-ROM
After installation, when prompted to set last options, choose “Yes”
1. Set root password
2. Set the time zone. I use the Pacific time zone in the US as an example here.
  1. Select “No” when asked to set the clock to UTC
  2. Select America – North and South
  3. United States
  4. Pacific Time – Confirm abbreviation of the time zone
Configure “Networking”
1. Enable sshd
2. Select “Interfaces”
  1. Select interface you wish to configure
  2. Do not enable Ipv6 (unless you need it)
  3. Do not enable DHCP (unless you need it)
  4. Enter hostname
  5. Enter domain name
  6. Enter Gateway – Appropriate gateway for the network you are on
  7. Enter DNS server(s)
  8. Enter IP address and subnet mask
  9. Select Yes to bring up the interface
  10. Exit back up out of Interfaces
3. Configure “Startup”
  1. Unselect “quotas”
Select “Exit” twice, followed by “Exit Install”, then “Yes”
The server will be automatically rebooted, finishing the installation

Operating System Configuration

Log into the server as root
vi /etc/rc.conf and ensure the following options are set:
- check_quotas=”NO”
- defaultrouter=”x.x.x.x”
- hostname=”hostname”
- ifconfig_=”x.x.x.x netmask x.x.x.x”
- xntpd_enable=”YES”
- xntpd_program=”ntpd”
- xntpd_flags=”-c /etc/ntpd.conf -p /var/run/ntpd.pid”

Note: Instances of “x.x.x.x” should be replaced with the proper IP address or network mask

vi /etc/resolv.conf and ensure the following lines are set:
- domain domain.com
- nameserver x.x.x.x
- nameserver x.x.x.x
- search search.com domains.com
Configure NTP
1. ntpdate local.time.server
2. vi /etc/ntpd.conf, erase all contents (if any) and insert the following:
  - server server 0.north-america.pool.ntp.org
  - server server 1.north-america.pool.ntp.org
  - server server 2.north-america.pool.ntp.org
  - driftfile /etc/ntpd/drift
  - multicastclient
  - broadcastdelay 0.008
  - restrict X.X.X.X mask X.X.X.X nomodify notrap
Configure the message of the day (MOTD) to something appropriate
run “chpass”
1. Change “Charlie &” to read “HOSTNAME &”
Disable unneeded terminals
1. vi /etc/ttys
2. Comment out (or delete) everything in the Virtual Terminal section except the following ttyvs:
  - ttyv0
  - ttyv1
  - ttyv2
3. Save and quit vi
4. killall -HUP init
Install basic packages
1. pkg_add -r bash
2. Install cvsup-without-gui
3. pkg_add -r sudo
4. pkg_add -r portupgrade
Configure cvsUp
1. vi /etc/cvsupfile and enter the following:
  - *default tag=RELENGE_6_3
  - *default host=cvsup12.freebsd.org
  - *default prefix=/usr
  - *default base=/var/db
  - *default release=cvs delete use-rel-suffix compress
  - src-all
  - ports-all
  - docs-all
2. Save and quit
Run CVSup
1. /usr/local/bin/cvsup /etc/cvsupfile
2. This will take a fair amount of time; leave the install and go do something else for awhile
Update your world
1. cd /usr/src
2. Check to see if the obj subdirectory exists; remove it (and all of its contents) if it does
3. make buildworld
4. This will take even longer than the cvsup; find something better to do then watch the pretty text scrolling by
5. cp /usr/src/sys/i386/conf/SMP /usr/src/sys/i386/conf/MYCUSTOMKERNEL
6. If you want to be able to connect to shares on Windows systems, edit MYCUSTOMKERNEL and add the following options:
  - options SMBFS
  - options LIBMCHAIN
  - options LIBICONV
  - options NETSMB
  - options NETSMBCRYPTO
7. cd /usr/src – (just to make sure we are still in the right place)
8. make buildkernel KERNCONF= MYCUSTOMKERNEL
9. This will also take a while, but not nearly as long as buildworld. Once it finishes compiling, we next type
10. make installkernel KERNCONF= MYCUSTOMKERNEL
11. make installworld
12. Once this completes it is time to reboot into our newly updated OS.
13. init 6
14. Once the box comes back online, log in as root again and merge our config files
15. mergemaster
16. This will install new files and walk you through the process of merging changes into existing files. My general rule of thumb is to install all files that I have not modified
run portsnap and upgrade packages as needed with portupgrade.
Configure portupgrade and verify that all ports are up to date:
1. portsdb -Uu
2. portversion
Configure users
1. adduser – follow the prompts
2. visudo
  - Add the user create a user alias and add your new user to the alias.
  - copy the line for root privileges, paste below and change to your user alias
Configure aliases
1. vi /etc/aliases and change
  - root: sysadmin@somedomain.com
2. Write and quit
3. newaliases
init 6 ; manually cycle server power
Make sure everything starts up properly on boot
Done

FreeBSD 6.3 Build

Jason — Mon, 13 Oct 2008 01:55:04 +0000