tag:blogger.com,1999:blog-321997392024-02-28T08:37:10.048+01:00Network Security and System AdministrationDedicated to Network Security <br>
and System Administration
with Free Software and Open Source.
<br>
This blog is created primarily for myself to keep track of gained experiences.Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.comBlogger36125tag:blogger.com,1999:blog-32199739.post-84201344757068648202009-08-13T10:16:00.001+02:002009-08-13T10:21:13.704+02:00Updated sheetshttp://packetlife.net got some new cheet sheets!<br /><br />Updated:<br /><br />http://packetlife.net/static/cheatsheets/bgp.pdf<br /><br />http://packetlife.net/static/cheatsheets/eigrp.pdf<br /><br />http://packetlife.net/static/cheatsheets/first-hop-redundancy.pdf<br /><br />http://packetlife.net/static/cheatsheets/spanning-tree.pdf<br /><br />http://packetlife.net/static/cheatsheets/ios-ipv4-access-lists.pdf<br /><br />http://packetlife.net/static/cheatsheets/cisco-ios-versions.pdf<br /><br /><br />Check em' out!<br /><br />Cheers :)Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com1tag:blogger.com,1999:blog-32199739.post-51482172449405866842009-05-21T18:08:00.002+02:002009-05-21T18:19:19.431+02:00Recap on netsh (Windows)Dump interface config (Tested on Windows 2003 STD SP2)<br /><br /><br />Save your perfect running config (real pain add many many ip's in windows manually).<br /><br />C:\documents and settings\Administrator\My Documents>netsh -c interface dump > interface.server1.txt<br /><br />Want to update or change some values? Just edit interface.server1.txt (carefull about correct syntax - http://technet.microsoft.com/en-us/library/cc738592(WS.10).aspx)<br />Save as new file like "interface.server1.new.txt"<br /><br />Deploy your new settings<br /><br />C:\documents and settings\Administrator\My Documents>netsh -f interface.server1.new.txt<br /><br />Something went wrong or testing done?<br />- Revert to old config!<br /><br />C:\documents and settings\Administrator\My Documents>netsh -f interface.server1.txt<br /><br /><br />Violá! Be sure always verify settings and connectivity!Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-68343244437051874842008-12-12T11:46:00.001+01:002008-12-12T11:58:48.610+01:00Remove old files (*nix commandline)Other day I needed to remove quite a few old files, modified X days ago<br /><br />/var/www/htdocs/disttool/filedata# ls -lah<br />-rw-r--r-- 1 www-data www-data 15M 2007-10-12 15:41 349<br />...<br />-rw-r--r-- 1 www-data www-data 44M 2008-12-10 11:48 510<br /><br />File names are 349 interated up to 510 in this case<br /><br />So how to remove every file older than 2 days?<br /><br /><br />#find /var/www/htdocs/disttool/filedata/ -mtime +2 -exec rm {} \;<br /><br /><br />I recomend replacing "-exec rm" with "-exec ls -lah" before rm'ing..<br />rm will *not* ask for confirmation during delete..<br />Platform is Debian<br /><br />Cheers!Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-71191136339846435162008-09-24T16:24:00.000+02:002008-09-24T16:37:51.305+02:00Extract multiple zip files with 7-zip (Windows)The other day I needed to extraxt some ESX 3.x patches within one directory.<br /><a href="http://www.vmware.com/">http://www.vmware.com/</a> allow downloading patches using small java applet.<br />But every patch is zipped archive containing many files.<br /><br />Using one windowsserver for ESX patch depot I needed to extract all these files in one command. Since this Server already had 7-zip installed using that would be nice.<br /><br /><br />C:\>cd "Program Files\7-Zip"<br /><br /><br />EXECUTE!<br /><br />C:\Program Files\7-Zip>7z.exe x G:\VMware_Patches\ESX350\*.zip -o"G:\VMware_Patches\ESX350\"<br /><br />Processing archive....<br />....<br />....<br />Processing archive: G:\VMware_Patches\ESX350\ESX350-Update01.zip<br />Extracting ESX350-Update01Extracting ESX350-Update01\descriptor.xmlExtracting ESX350-Update01\contents.xmlExtracting ESX350-Update01\contents.xml.sig<br />...<br />...<br />Everything is Ok<br />Total:Archives: 89<br />C:\Program Files\7-Zip><br /><br />Now I want to check directories<br /><br />C:\Program Files\7-Zip>dir /AD g:\VMware_Patches\ESX350<br /><br />Directory of g:\VMware_Patches\ESX350<br />ESX350-200802301-BG2008-09-24<br />...<br />...<br /><br />Seems ok!<br /><br />DONE!Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-12559275294025191852008-09-24T12:49:00.000+02:002008-09-24T12:54:39.953+02:00Networking packet tracesJust found this site, <a href="http://packetlife.net/captures/1">http://packetlife.net/captures/1</a><br /><br />Among many things traces available include<br /><br />GLBP_election.cap<br />ISIS_level2_adjacency.cap<br />MPLS_encapsulation.cap<br />PIM-SM_join_prune.cap<br /><br />Not so much security as in networking stuff tho.<br /><br />I plan to do some analysis using latest HeX Live CD<br />( please check it out! <a href="http://www.rawpacket.org/projects/hex/hex-livecd">http://www.rawpacket.org/projects/hex/hex-livecd</a>)<br /><br />HeX contains variety of crucial tools needed while doing packet analysis.<br /><br />Happy packet hunting!Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-67164079078102341962008-08-04T10:24:00.001+02:002008-08-04T11:15:01.868+02:00Patching VMware ESX 3.0.1, with VMware ESX patchesOne way to do this of many.. :)<br />This patching procedure asumes no Virtual Center just standalone ESX w NAS (NFS)<br /><br />First download and install Patch ESX-5874303<br /><br />VMware ESX Server 3.0.1, Patch ESX-5874303: Update to the esxupdate Utility<br />http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=5874303<br /><br /># /usr/sbin/esxupdate -v 10 -noreboot -r file:/mnt/ESXPatches/ESX-5874303<br /><br /><br />Then create list of extracted patches within /mnt/ESXPatches/<br /><br />#!/bin/sh<br />#<br /># Create list of patchid's in /mnt/patches to patchesList.txt<br />cd /mnt/ESXPatches<br />rm patchesList.txt<br />ls -l | grep '^d' | awk '{ print $9 }' > patchesList.txt<br />echo DONE<br />echo /mnt/ESXPatches/patchesList.txt created<br /><br /><br />Now we are ready to install every patch that been downloaded and installed<br /><br />patchESX.pl<br />#!/usr/bin/perl<br /># patchESX.pl -- auto update esx perl script<br /># by Vincent Vlieghe<br /># Version 6/03/2007<br /># Edited by Niklas Eriksson<br />use LWP::Simple;<br />$patchlist = get 'file:///mnt/ESXPatches/patchesList.txt';<br />@array = split(/\n/, $patchlist);<br />foreach $item (@array)<br />{<br />print $item;<br />$item = trim($item);<br />$cmdQuery = "/usr/sbin/esxupdate query | grep $item";<br />if(system($cmdQuery) == 0)<br />{<br />print "\n$item is already installed - skipping\n";<br />}<br />else<br />{<br />print "\n$item is not yet installed - installing\n";<br />$cmdUpdate = "/usr/sbin/esxupdate -v 10 -n -r file:///mnt/ESXPatches/$item update";<br />system($cmdUpdate);<br />}<br />}<br />sub trim($)<br />{<br />my $string = shift;<br />$string =~ s/^\s+//;<br />$string =~ s/\s+$//;<br />return $string;<br />}<br /><br />Now we can verify installed software and REBOOT our server!!!<br /><br />[root@esx1 bin]# /usr/sbin/esxupdate -l query<br />Installed software bundles:<br /> ------ Name ------ --- Install Date --- --- Summary ---<br /> 3.0.1-32039 18:14:49 10/11/07 Full 3.0.1 release of VMware ESX Server<br /> ESX-2158032 12:12:28 10/12/07 Add LFENCE for RWO on AMD K8 before RevF<br /> ESX-1410076 12:15:33 10/12/07 BSOD 0x109 during 64-bit Windows install<br /> ESX-1006511 12:16:10 10/12/07 Fixing TX hang in 80003ES2LAN Controller<br /> ESX-9986131 12:16:54 10/12/07 Updated openssh, python, and openssl<br /> ESX-8173580 12:18:11 10/12/07 Fix COS Oops running Dell OM5 w/ QLogic<br /> ESX-6921838 12:20:38 10/12/07 hot removal of a virtual disk thru SDK<br /> ESX-2066306 12:21:08 10/12/07 Patch for VM crashes and possible freeze<br />...Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-43761992621102325122008-08-04T10:17:00.000+02:002008-08-04T10:24:16.694+02:00Shutdown ESX 3.0.1 VM's from consoleSmall script for VMware ESX 3.0.1<br /><br />VMShutdown.sh<br />--------------------<br />#!/bin/sh<br /># VMware ESX 3.0.1<br /># Get VM state, shutdown running VM's<br /># From http://www.mgeups.com/download/soft/install/linux/nsm/how_to_vmware_en_1_2.pdf<br /># VMware tools MUST be installed in each VM for this script to work<br />#<br />VMLIST=`/usr/bin/vmware-cmd -l`<br />for VM in $VMLIST<br />do<br />VMSTATE=`/usr/bin/vmware-cmd "$VM" getstate -q`<br /># Guest OS shutdown if VMSTATE is equal to "on"<br />if [ "$VMSTATE" == "on" ]<br />then<br />/usr/bin/vmware-cmd $VM stop trysoft hard<br />echo Waiting 10 SEC<br />sleep 10<br />fi<br />done<br />echo ----------------------------------------------------------------<br />echo DONE, check for errors if VM's don't have VMware tools installed<br />echo ----------------------------------------------------------------Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-40097893125754598232008-08-01T10:43:00.000+02:002008-08-01T11:02:01.515+02:00Extract several VMware ESX patches within one directory (ESX 3.0.1 Console)I wanted to extract all archives with one line.<br /><br />First mounting my NFS share (R/W)<br />#mount 172.16.1.20:\ESXPatches /mnt/ESXPatches<br />#cd /mnt/patches<br />#ls<br />..<br />ESX-9986131.tgz<br />ESX-8173580.tgz<br />..<br /><br />Action begins here;<br /><br />root@esx1 patches]# for i in *.tgz; do tar -xzvf $i;done<br />ESX-1000039/<br />ESX-1000039/VMware-esx-scripts-3.0.1-42368.i386.rpm<br />ESX-1000039/VMware-esx-vmkernel-3.0.1-47426.i386.rpm<br />ESX-1000039/headers/<br />ESX-1000039/headers/VMware-esx-scripts-0-3.0.1-42368.i386.hdr<br />ESX-1000039/headers/VMware-esx-vmkernel-0-3.0.1-47426.i386.hdr<br />ESX-1000039/headers/header.info<br />ESX-1000039/descriptor.xml<br />ESX-1000070/<br />ESX-1000070/VMware-esx-scripts-3.0.1-42368.i386.rpm<br />ESX-1000070/VMware-esx-tools-3.0.1-47426.i386.rpm<br />ESX-1000070/VMware-esx-vmx-3.0.1-47426.i386.rpm<br />..<br />..<br /><br />Seems OK!<br /><br />Now I just need to wait for rest of 118 archives untaring..<br /><br />Cheers!Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-76217547418836414882008-07-03T01:09:00.000+02:002008-07-03T01:15:53.679+02:00Reasons behind slow bloggingMy father died 2008-02-16 after 5 years of having prostate cancer.<br />Tough times but I manage by, also inherit lots stuff and papers.<br />Time have been short also bit lack of motivation but will keep posting at semi-regular intervalls ;-)<br /><br />Regards,<br />NiklasNiklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-87193025570118398902008-05-06T13:04:00.000+02:002008-05-06T13:15:03.517+02:00Windows 2003 Add several ip addresses at onceCreate a batch file "servername-netsh-ipaddress-interface-WAN.cmd"<br /><br />WAN in this case have been set via "Control Panel" -> "Network Connections" on appropriate Network adapter.<br /><br /><br />@echo on<br />netsh interface ip add address "WAN" 10.0.0.1 255.255.255.0<br />netsh interface ip add address "WAN" 10.0.0.2 255.255.255.0<br />pause<br /><br /><br />When run command promt will show status of commands, if "Ok" it works.Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-70231987801839260012007-07-20T15:08:00.000+02:002007-07-26T10:29:35.510+02:00Debian DRBD NFS Failover ClusterNFS Cluster Lab Notes<br /><br />Motivation: Customers demand access 24/7, unacceptable with scheduled/unscheduled downtime for maintenance tasks/failure handling<br /><br />What: DRBD provides "cheap" storage mirroring using commodity hardware and free software fortifying your enterprise<br />My primary Linux choice for mission critical NOS is Debian<br />Debian may not be the right choice for you/your environment/setup.<br /><br />Installation notes specific to my lab. I will install two hosts, debian40drbd-1 and debian40drbd-2.Each host will have two NIC's with one private ip (cross-over patch cable) and one public ip (switch) connection.<br />Replication takes place over private network. Cluster share common virtual ip address with accessible NFS Services on public network.<br />/data/exports will be the NFS Share directory on each member<br /><br />Hardware:<br />2 Dell GX150 SFF 933MHz with two NIC's each have single ATA disk1 crossover patch cable (Private network)<br />1 switch (Public network)<br />1 Laptop (Debian NFS client)<br /><br />Setup<br /><br />Install from netinst<br />[http://cdimage.debian.org/debian-cd/4.0_r0/i386/iso-cd/debian-40r0-i386-netinst.iso]<br /><br />Partition disk<br />Type Mount Size<br />P / 1Gb<br />L /home 1Gb<br />L /usr 1Gb<br />L /var 1Gb<br />L /tmp 1Gb<br />L /usr/local 1Gb<br />L (empty) 1Gb Used for DRBD Meta data (Only needs 128mb, but I keep it simple<br />L /srv 1Gb<br />L /boot 1Gb<br />L (empty) 10Gb Used for DRBD Storage<br />L swap 512Mb<br /><br />Name first server to debian40drbd-1<br />Name second server to debian40drbd-2<br />Use dhcp during install<br />Select minimal install options<br />Add user and root pw<br />Restart<br /><br />Configure networking<br /><br />Host debian40drbd-1<br /><br />$vi /etc/network/interfaces<br /><br /># Public network interface<br />auto eth1<br />iface eth1 inet static<br />address 192.168.200.20<br />netmask 255.255.255.0<br />gateway 192.168.200.254<br /><br /># Replication network interface<br />auto eth0<br />iface eth0 inet static<br />address 192.168.254.10<br />netmask 255.255.255.0<br /><br />:wq<br /><br />Host debian40drbd-2<br /><br />$vi /etc/network/interfaces<br /><br /># Public network interface<br />auto eth1<br />iface eth1 inet static<br />address 192.168.200.40<br />netmask 255.255.255.0<br />gateway 192.168.200.254<br /><br /># Replication network interface<br />auto eth0<br />iface eth0 inet static<br />address 192.168.254.20<br />netmask 255.255.255.0<br /><br />:wq<br /><br />After configuring network, reboot and check connectivity on all interfaces<br /><br />Update package system sources.<br />If needed, add distribution resportory to /etc/apt/sources.list<br />http://ftp.debian.org etch contrib main<br /><br />Run apt-get update && apt-get upgrade<br />Install SSH and time-keeping utils<br />$apt-get install ssh ntp ntpdate<br />Modify sshd to listen on ipv4<br />$vi /etc/ssh/sshd_config<br />Uncomment #ListenAddress<br /><br />:wq<br /><br />invoke-rc.d ssh restart<br /><br />Install NFS Server<br /><br />$aptitude install nfs-kernel-server<br />..<br />Get:1 <a href="http://ftp.debian.org/">http://ftp.debian.org/</a> etch/main nfs-kernel-server 1:1.0.10-6 [136kB]Fetched 136kB in 1s (111kB/s)Selecting previously deselected package nfs-kernel-server.(Reading database ... 18487 files and directories currently installed.)Unpacking nfs-kernel-server (from .../nfs-kernel-server_1%3a1.0.10-6_i386.deb) ...Setting up nfs-kernel-server (1.0.10-6) ...<br />Creating config file /etc/exports with new version<br />Creating config file /etc/default/nfs-kernel-server with new version<br />Starting NFS common utilities: statd idmapd.<br />Exporting directories for NFS kernel daemon....Starting NFS kernel daemon: nfsd mountd...<br /><br />Remove NFS autostart<br /><br />$update-rc.d -f nfs-kernel-server remove<br />$update-rc.d -f nfs-common remove<br /><br />Optional, reboot and verify no NFS autostart<br /><br />Configure NFS Export<br /><br />$vi /etc/exports<br /><br />/data/export/ 192.168.200.0/255.255.255.0(rw,no_root_squash,no_all_squash,sync)<br /><br />:wq<br /><br />Install DRBD!<br /><br />$apt-get install linux-headers-`uname -r` drbd0.7-module-source drbd0.7-utils<br /><br />$cd /usr/src && tar -xvzf drbd0.7.tar.gz<br />$cd /usr/src/modules/drbd/drbd && make<br />$cd /usr/src/modules/drbd/drbd && make install<br />$mv /etc/drbd.conf /etc/drbd.conf.orig<br /><br />$vi /etc/drbd.conf<br /><br />resource r0 {<br />protocol C;<br />incon-degr-cmd "halt -f";<br />startup {<br />degr-wfc-timeout 120; # 2 minutes.<br />}<br />disk { on-io-error detach;<br />}<br />net {<br />} syncer {<br />rate 10M;<br />group 1;<br />al-extents 257;<br />}<br />on debian40drbd-1 { # hostname of server 1 (uname -n)<br />device /dev/drbd0; #<br />disk /dev/hda13; # ** EDIT ** data partition on server 1<br />address 192.168.254.10:7788; # ** EDIT ** IP address on server 1<br />meta-disk /dev/hda10[0]; # ** EDIT ** X MB partition for DRBD metadata on server 1<br />}<br />on debian40drbd-2 { # hostname of server 2 (uname -n)<br />device /dev/drbd0; #<br />disk /dev/hda13; # ** EDIT ** data partition on server 2<br />address 192.168.254.20:7788; # ** EDIT ** IP address on server 2<br />meta-disk /dev/hda10[0]; # ** EDIT ** X MB partition for DRBD metadata on server 2<br />}<br />}<br /><br />:wq<br /><br />Fire up DRBD!<br /><br />$modprobe drbd<br />$drbdadm up all<br /><br />$cat /proc/drbd<br />version: 0.7.21 (api:79/proto:74)SVN Revision: 2326 build by <a href="mailto:root@debian40drbd-2">root@debian40drbd-2</a>, 2007-07-17 17:02:24 0: cs:Connected st:Secondary/Secondary ld:Inconsistent ns:0 nr:0 dw:0 dr:0 al:0 bm:1194 lo:0 pe:0 ua:0 ap:0 1: cs:Unconfigured<br /><br />Make debian40drbd-1 primary<br />$drbdadm -- --do-what-I-say primary all<br />$drbdadm -- connect all<br /><br />Check status<br /><br />debian40drbd-1:/etc# cat /proc/drbd<br />version: 0.7.21 (api:79/proto:74)SVN Revision: 2326 build by <a href="mailto:root@debian40drbd-1">root@debian40drbd-1</a>, 2007-07-17 17:05:40 0: cs:SyncSource st:Primary/Secondary ld:Consistent ns:608348 nr:0 dw:0 dr:687168 al:0 bm:1235 lo:0 pe:35 ua:39 ap:0 [=>..................] sync'ed: 6.3% (8868/9462)M finish: 0:13:57 speed: 10,844 (10,308) K/sec 1: cs:Unconfigured<br /><br />Initial block level replication done<br /><br />debian40drbd-2:/# cat /proc/drbd<br />version: 0.7.21 (api:79/proto:74)SVN Revision: 2326 build by <a href="mailto:root@debian40drbd-2">root@debian40drbd-2</a>, 2007-07-17 17:02:24 0: cs:Connected st:Secondary/Primary ld:Consistent ns:0 nr:9767544 dw:9767544 dr:0 al:0 bm:1791 lo:0 pe:0 ua:0 ap:0 1: cs:Unconfigured<br /><br />Configure NFS directory holding data<br />$mkdir /data<br /><br />On server debian40drbd-1<br />$mkfs.ext3 /dev/drbd0<br />..<br />mke2fs 1.40-WIP (14-Nov-2006)Filesystem label=OS type: LinuxBlock size=4096 (log=2)Fragment size=4096 (log=2)1221600 inodes, 2441872 blocks122093 blocks (5.00%) reserved for the super userFirst data block=0Maximum filesystem blocks=250399948875 block groups32768 blocks per group, 32768 fragments per group16288 inodes per groupSuperblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632<br />Writing inode tables: doneCreating journal (32768 blocks): doneWriting superblocks and filesystem accounting information: done<br />This filesystem will be automatically checked every 35 mounts or180 days, whichever comes first. Use tune2fs -c or -i to override.<br />..<br /><br />On server debian40drbd-1<br />$/etc/init.d/./nfs-kernel-server stop<br />$mount -t ext3 /dev/drbd0 /data<br />$mv /var/lib/nfs/ /data/<br />$ln -s /data/nfs/ /var/lib/nfs<br />$mkdir /data/export<br />$umount /data<br /><br />On server debian40drbd-2<br />$rm -fr /var/lib/nfs/<br />$ln -s /data/nfs/ /var/lib/nfs<br /><br />Some error messages will display, don't bother right now<br /><br />Install Linux HA<br /><br />$aptitude install heartbeat<br />...<br />Setting up heartbeat (1.2.5-3) ...Heartbeat not configured: /etc/ha.d/ha.cf not found. Heartbeat failure [rc=1]. Failed...<br />...<br /><br />So now we need to setup configs<br />$less /etc/ha.d/README.config<br />...<br />You need three configuration files to make heartbeat happy,and they all go in this directory.<br />They are:<br />ha.cf Main configuration file<br />haresources Resource configuration file<br />authkeys Authentication information<br /><br />:q<br /><br />On debian40drbd-1 and -2<br />$vi /etc/ha.d/ha.cf<br />logfacility local0<br />keepalive 2<br />#deadtime 30 # USE THIS!!!<br />deadtime 10<br />bcast eth1<br />node debian40drbd-1 debian40drbd-2<br /><br />:wq<br /><br />On debian40drbd-1 and -2<br />$vi /etc/ha.d/haresources<br /><br />debian40drbd-1 IPaddr::192.168.200.60/24/eth1 drbddisk::r0 \ Filesystem::/dev/drbd0::/data::ext3 nfs-kernel-server<br /><br />:wq<br /><br />On debian40drbd-1 and -2<br />$vi /etc/ha.d/authkeys<br />auth 33 md5 %¤&%*`2¤%&amp;%35ER;er.,,wrw!"##&%¤#%¤%<br /><br />:wq<br /><br />Root read-only on Authkeys<br />$chmod 600 /etc/ha.d/authkeys<br /><br />Now we can start our daemons..<br /><br />$invoke-rc.d drbd start<br />$invoke-rc.d heartbeat start<br /><br />If no errors, now reboot each server<br /><br />Check /proc/drbd after each server up again<br /><br />Now i test mounting NFS Share from another debian server,<br />$mount 192.168.200.60:/data/export /data<br />$df -h<br />...<br />192.168.200.60:/data/export 9.2G 150M 8.6G 2% /data..<br />...<br /><br />Looks good!<br /><br />Now I want to stream some data onto my debian40drbd-1 and 2<br />debian01:~# cat /dev/urandom > /data/urandomseed.testfile<br /><br />And yes! HDD lights on both server blink in concert, replicating data blocks in realtime..<br /><br />So, now one user accidentally power off debian40drbd-1.. what happens to my stream..?<br /><br />Lets see..<br /><br />On debian40drbd-2, I install tcpdump and look for new traffic arrive after debian40drbd-1 is down..<br /><br />$tcpdump -i eth1 not tcp port 22 -w hafailover.pcap<br />$tcpdump -nn -r hafailover.pcap less<br />..<br />14:45:20.474863 IP 192.168.200.20.32778 > 192.168.200.255.694: UDP, length 146<br />14:45:21.692595 IP 192.168.200.40.32781 > 192.168.200.255.694: UDP, length 145<br />14:45:22.474836 IP 192.168.200.20.32778 > 192.168.200.255.694: UDP, length 146<br />14:45:23.692768 IP 192.168.200.40.32781 > 192.168.200.255.694: UDP, length 145<br />14:45:25.696681 IP 192.168.200.40.32781 > 192.168.200.255.694: UDP, length 145<br />14:45:27.696859 IP 192.168.200.40.32781 > 192.168.200.255.694: UDP, length 145<br />14:45:29.697120 IP 192.168.200.40.32781 > 192.168.200.255.694: UDP, length 145<br />14:45:31.697129 IP 192.168.200.40.32781 > 192.168.200.255.694: UDP, length 145<br />14:45:33.640233 IP 192.168.200.40.32781 > 192.168.200.255.694: UDP, length 171<br />14:45:33.697822 IP 192.168.200.40.32781 > 192.168.200.255.694: UDP, length 145<br />14:45:34.302344 arp who-has 192.168.200.60 tell 192.168.200.60<br />14:45:34.624485 IP 192.168.200.10.3892429578 > 192.168.200.60.2049: 1472 write [nfs]14:45:34.624602 IP 192.168.200.10 > 192.168.200.60: udp<br />14:45:34.624723 IP 192.168.200.10 > 192.168.200.60: udp<br />14:45:34.624845 IP 192.168.200.10 > 192.168.200.60: udp<br />...<br />Host debian40drbd-1 is downed<br />...<br />14:45:34.627062 IP 192.168.200.10 > 192.168.200.60: udp<br />14:45:34.627088 IP 192.168.200.10 > 192.168.200.60: udp<br />14:45:34.629014 arp who-has 192.168.200.10 tell 192.168.200.60<br />14:45:34.629163 arp reply 192.168.200.10 is-at 00:40:63:e5:17:92<br />14:45:34.629185 IP 192.168.200.60 > 192.168.200.10: ICMP 192.168.200.60 udp port 2049 unreachable, length 556<br />14:45:34.813261 arp reply 192.168.200.60 is-at 00:b0:d0:d5:12:7f<br />14:45:35.325226 arp who-has 192.168.200.60 tell 192.168.200.60<br />14:45:35.504480 IP 192.168.200.10.3909206794 > 192.168.200.60.2049: 1472 write [nfs]14:45:35.504584 IP 192.168.200.10 > 192.168.200.60: udp<br />14:45:35.504708 IP 192.168.200.10 > 192.168.200.60: udp<br />14:45:35.504833 IP 192.168.200.10 > 192.168.200.60: udp...<br />Now debian40drbd-2 recieves data<br /><br />I power up debian40drbd-1, login and check drbd status<br /><br />debian40drbd-1:~# cat /proc/drbd<br />version: 0.7.21 (api:79/proto:74)SVN Revision: 2326 build by <a href="mailto:root@debian40drbd-1">root@debian40drbd-1</a>, 2007-07-17 17:05:40 0: cs:SyncSource st:Primary/Secondary ld:Consistent ns:274972 nr:0 dw:4 dr:275901 al:0 bm:274 lo:199 pe:61 ua:227 ap:0 [=====>..............] sync'ed: 26.5% (776472/1051200)K finish: 0:01:13 speed: 10,508 (7,424) K/sec<br /><br />And after a while systems are syncronised again!<br /><br />debian40drbd-2:~# cat /proc/drbd<br />version: 0.7.21 (api:79/proto:74)SVN Revision: 2326 build by <a href="mailto:root@debian40drbd-2">root@debian40drbd-2</a>, 2007-07-17 17:02:24 0: cs:Connected st:Secondary/Primary ld:Consistent ns:920048 nr:104 dw:104 dr:920048 al:0 bm:220 lo:0 pe:0 ua:0 ap:0<br /><br />So now I know my NFS storage cluster can tolerate one host failure<br /><br />TODO<br />Setup DRBD between machines debian40drbd-1 and -2. export /dev/drbd0 device using iSCSI enterprise Target to the clients. Use heartbeat for control of iSCSI Target and DRBD. Clients access the iscsi device you had already exported using iscsi initiator. Format iscsi device with gfs or ocfs2 (multipel accesses).Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-12795212485784338892007-07-16T23:07:00.001+02:002007-07-22T22:55:04.946+02:00Build Ubuntu / Debian SUN Java Package .debI needed to run SUN Java VM, so I decided to build .deb package.<br />Simplifying deployments.<br /><br />Note: Ubuntu / Debian build tools are tailored towards JRE release 5,<br />Java release 6.x may find you if you run Debian 4.0 "Etch" unstable [http://packages.debian.org/unstable/source/sun-java6]<br />Or Ubuntu<br />[ http://packages.ubuntu.com/feisty/source/sun-java6 ]<br /><br /><br />Install build tools<br />$apt-get install fakeroot java-package<br /><br />Download Java<br /><br /><a href="http://java.sun.com/javase/downloads/index_jdk5.jsp">http://java.sun.com/javase/downloads/index_jdk5.jsp</a><br /><br />Select<br />Java Runtime Environment (JRE) Update 12<br />>> Download<br /><br />Accept License Agreement (This package does NOT comply to debian policy)<br /><br />Download appropiate file<br />Linux Platform<br />Linux (self-extracting file)<br /><br />Run fakeroot (as normal user)<br /><br />$fakeroot make-jpkg jre1_5_0_12-linux-i586.bin<br />..<br />Creating temporary directory: /tmp/make-jpkg.OKdPx17517<br />Loading plugins: blackdown-j2re.sh blackdown-j2sdk.sh common.sh ibm-j2re.sh ibm-j2sdk.sh j2re.sh j2sdk-doc.sh j2sdk.sh j2se.sh sun-j2re.sh sun-j2sdk-doc.sh sun-j2sdk.sh<br /><br />Detected Debian build architecture: i386<br />Detected Debian GNU type: i486-linux-gnu<br /><br />Detected product:<br /> Java(TM) Runtime Environment (JRE)<br /> Standard Edition, Version 1.5.0+update12<br /> Sun Microsystems(TM), Inc.<br />Is this correct [Y/n]:<br />...<br />If you do not agree to the displayed license terms, the<br />package will not be built.<br /><br />Press [Return] to continue:<br />Sun Microsystems, Inc. Binary Code License Agreement<br />for the JAVA 2 PLATFORM STANDARD EDITION RUNTIME ENVIRONMENT<br />5.0<br />...<br />Do you agree to the above license terms? [yes or no]<br />...<br />The Debian package has been created in the current directory. You can<br />install the package as root (e.g. dpkg -i sun-j2re1.5_1.5.0+update12_i386.deb<br />...<br /><br />Done,<br />now can I deploy sun-j2re1.5_1.5.0+update12_i386.deb with ease.<br />On systems with same build.<br />If I want to deploy SUN Java VM to Debian Sarge I need to rebuild SUN Java *.deb in a Sarge host before deployment.Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-89736435180038131082007-07-16T22:52:00.000+02:002007-07-16T23:17:09.876+02:00Add Google Linux Software Repositories to Ubuntu<span style=";font-family:verdana;font-size:85%;" >Add Google key to apt<br />wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub \<br />| apt-key add - apt-get update<br /><br />Create new source repository<br />vi /etc/apt/sources.list.d/google.list<br /><br /># Google software repository<br />deb http://dl.google.com/linux/deb/ stable non-free<br /><br />Now you can add Google desktop / others<br />sudo apt-get update<br />sudo apt-get install google-desktop-linux<br /><br />Done!</span><span style="font-size:100%;"><br /></span>Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-34177573776828786392007-06-11T11:37:00.000+02:002007-06-11T12:07:08.232+02:00Monitor harddrives using smartmontools in FreeBSD"Control and monitor storage systems using the Self-Monitoring, Analysis and Reporting Technology System (SMART) built into most modern ATA and SCSI hard disks. In many cases, these utilities will provide advanced warning of disk degradation and failure."<br /><br /><br />Pre req:<br />Update ports with portsnap<br /><br /><br />#cd /usr/ports/sysutils/smartmontools<br />#make install clean<br /><br />#cd /usr/local/etc/<br />#ls smart*<br />smartd.conf.sample<br /><br />#cp smartd.conf.sample smartd.conf<br /><br />#dmesg grep ata<br />...<br />ad0: 76319MB <seagate>at ata0-master SATA150<br />ad1: 76319MB <seagate>at ata0-slave SATA150<br />...<br /><br />Check if SMART is enabled before we add config<br />#rehash<br />#smartctl -a /dev/ad(01)<br />..<br />SMART support is: Available - device has SMART capability.SMART support is: Enabled<br />..<br /><br /># vi smartd.conf<br /><br />Disable scan<br />#DEVICESCAN<br /><br />/dev/ad0 -a -I 194 -W 4,30,40 -R 5 -m <a href="mailto:operator@domain.com">operator@domain.com</a><br />/dev/ad1 -a -I 194 -W 4,30,40-R 5 -m <a href="mailto:operator@domain.com">operator@domain.com</a><br /><br /># echo 'smartd_enable="YES"' >> /etc/rc.conf<br /><br />Done!Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-65326331293629365232007-06-11T09:18:00.000+02:002007-06-11T10:12:07.598+02:00SSMTP, forward mail to smarthost in FreeBSDSSMTP works (great) only for outgoing mail.<br />" Mail is simply forwarded to the configured mailhost.<br />It does not receive mail, expand aliases or manage a queue. "<br /><br />Let's say you have some loghost, who should not be able to recieve mail- SSMTP works great.<br />Sendmail only binds to 127.0.0.1:25 default, but disable it still reduces listening ports- I like that..<br /><br />Pre req:<br />Update FreeBSD Ports with portsnap..<br /><br />Now the Action,<br /><br />freebsd62# cd /usr/ports/mail/ssmtp<br />freebsd62# make install clean<br />freebsd62# cd /usr/local/etc/ssmtp<br />freebsd62# ls<br />revaliases.sample ssmtp.conf.samplemonitor<br />freebsd62# cp revaliases.sample revaliasesmonitor<br />freebsd62# cp ssmtp.conf.sample ssmtp.confmonitor<br />freebsd62# ls<br />revaliases revaliases.sample ssmtp.conf ssmtp.conf.sample<br />freebsd62#vi /usr/local/etc/ssmtp/ssmtp.conf<br /><br />mail=mail.domain.com<br />rewriteDomain=domain.com<br />hostname=freebsd62.domain.com<br /><br /># vi /etc/rc.conf<br />sendmail_enable="NO"<br />sendmail_submit_enable="NO"<br />sendmail_outbound_enable="NO"<br />sendmail_msp_queue_enable="NO"<br /><br />Test<br />mail -s "Testing" <a href="mailto:your.address@domain.com">your.address@domain.com</a><br /><br /><ctrl-d>Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-46913403496124527082007-05-30T01:29:00.000+02:002007-05-30T01:33:17.965+02:00Offline pcap NSM Analysis Script#!/bin/sh<br /># - - -<br /># Offline pcap NSM Analysis Script - Tested on Mr Bejtlich FreeBSD 5.4 VM ( www.SGUIL.net )<br /># I made this script for personal use primarily, nice if you find it useful.<br /># nillepill[at]gmail.com<br /># TODO: Fix working Tethereal options in script variable<br /># - - -<br /># Would like to recommend TaoSecurity Training, http://www.taosecurity.com/training.html<br /># I really enjoyed attending the 4 day Network Security Operations Course<br /># - - -<br /><br /># Description<br /># Takes input from specified tcpdump file<br /># Creates new folders in users home directory, puts all analysis output in those directorys<br />#<br /><br /># Enviroment<br />WORK_DIR=$HOME<br />FILE=$1<br />CASE_FOLDER=$(date +%H-%M-%S)-$1<br />ANALYSIS_FOLDER=NSM_Analysis<br />DATE_FOLDER=$(date +%Y-%m-%d)<br />HASH_DIR=HASHES<br /># Tools<br />DATE=/bin/date<br />TCPDSTAT=/usr/local/bin/tcpdstat<br />CAPINFOS=/usr/X11R6/bin/capinfos<br />TCPDUMP=/usr/sbin/tcpdump<br />TETHEREAL=/usr/X11R6/bin/tethereal<br /># Should work? TETHEREAL_OPTIONS=`-qzio,phs -nr`<br />P0F=/usr/local/bin/p0f<br />SNORT=/usr/local/bin/snort<br />SNORT_CONF=/usr/local/etc/nsm/snort.conf<br />ARGUS=/usr/local/sbin/argus<br />RAGATOR=/usr/local/bin/ragator<br />RACOUNT=/usr/local/bin/racount<br />RAHOSTS=/usr/local/bin/rahosts<br />RA=/usr/local/bin/ra<br />MD5=/sbin/md5<br />SHA1=/sbin/sha1<br /># Usage description<br />if [ -z "$1" ]; then<br /> echo ""<br /> echo "-----------------------------------"<br /> echo "Offline pcap NSM Analysis Script"<br /> echo "-----------------------------------"<br /> echo "" <br /> echo Usage: $0 interface.pcap<br /> echo ""<br /> exit<br /> fi<br /><br /># Start Analysis<br />echo ""<br />echo "Starting Offline pcap NSM Analysis Script"<br />$DATE<br />echo ""<br /><br />echo "# Create folders, copy file and set to read only"<br />mkdir $WORK_DIR/$ANALYSIS_FOLDER<br />mkdir $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER<br />mkdir $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER<br />mkdir $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$HASH_DIR<br />cp $1 $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/<br />chmod 400 $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$1<br />echo "# Create hashes"<br />$MD5 $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$1 > $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$HASH_DIR/$1.sha1<br />$SHA1 $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$1 > $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$HASH_DIR/$1.md5<br />echo "# Set hash mod"<br />chmod 400 $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$HASH_DIR/$1.sha1<br />chmod 400 $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$HASH_DIR/$1.md5<br />echo "# Set dir mod"<br />chmod 700 $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$HASH_DIR/<br />echo "# Run statistical tools"<br />$CAPINFOS $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE > $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.txt.capinfos<br />$TCPDSTAT $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE > $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.txt.tcpdstat<br /># Should work? Just works (TM) below tho.. $TETEHEREAL $TETHEREAL_OPTIONS $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE > $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.txt.tethereal<br />tethereal -qzio,phs -nr $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE > $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.txt.tethereal<br />echo "# Run Session tools"<br />$ARGUS -r $FILE -w $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.arg.bin<br />$RAGATOR -r $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.arg.bin -w $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.arg.bin.ragator<br />$RACOUNT -ar $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.arg.bin.ragator > $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.arg.txt.racount<br />$RAHOSTS -nr $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.arg.bin.ragator > $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.arg.txt.rahosts<br />$RA -nn -r $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.arg.bin.ragator -s saddr daddr dport proto | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | uniq -c > $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.arg.txt.ra.session<br />echo "# Fingerprint identifiable hosts"<br />$P0F -U -s $FILE -o $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.txt.p0f<br />echo "# Run Alert tools"<br />$SNORT -c $SNORT_CONF -l . -b -y -r $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE -l $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/<br />echo "# Copy hostinfo to case"<br />uname -a >> $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.txt.analysis.host<br />date >> $WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/$FILE.txt.analysis.date<br />echo "# Finish!"<br />echo ""<br />echo "------------------------------------------------------"<br />$DATE<br />echo "Analysis finished, data are ready for review in"<br />echo "$WORK_DIR/$ANALYSIS_FOLDER/$DATE_FOLDER/$CASE_FOLDER/"<br />echo ""<br />echo "------------------------------------------------------"<br />echo ""Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-47577927953347728802007-05-23T18:34:00.000+02:002007-05-23T18:39:34.546+02:00Save a tree each day using Windows :)Assume files and folders in drive F<br /><br />Batch.tree.f.bat Put directory tree into new file each day<br /><br />@echo off for /f "tokens=1-3 delims=- " %%g in ('date /t') do ( set yy=%%g set mm=%%h set dd=%%i ) tree /a f:\ > "f:\Daily Tree Backup\%yy%-%mm%-%dd%.tree.f.txt" if exist "f:\Daily Tree Backup\%yy%-%mm%-%dd%.tree.f.txt" ( rd /S /Q "f:\Daily Tree Backup\%yy%-%mm%-%dd%.tree.f.txt" )Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-86894136222571262662007-05-23T18:15:00.000+02:002007-05-23T18:26:29.339+02:00Send Exchange SMTP Logs To Syslog Server"Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®."<br /><br /><a href="http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en</a><br /><br /><br />Run in batchfile from Windows Scheduled tasks every (day/hour/other)<br /><br />Exchange.Syslog.smtp.bat<br />LogParser.exe file:Queryexchange.sql -i:IISW3C -iCheckPoint:cp.txt -o:SYSLOG<br /><br />Queryexchange.sql<br />SELECT TO_TIMESTAMP(date, time),c-ip,cs-username,s-sitename,s-computername,s-ip,s-port,cs-method,cs-uri-stem,cs-uri-query,sc-status,sc-win32-status,sc-bytes,cs-bytes,time-taken,cs-version,cs-host,cs(User-Agent),cs(Cookie),cs(Referer)<br />INTO @syslogserver.com:514<br />FROM L:\log\SMTPSVC1\*.log<br /><br />Looks nice in Splunk ;)Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-12145472214886989112007-05-21T13:46:00.000+02:002007-05-21T14:04:16.626+02:00FreeBSD 6.2 Raid-1How to setup software raid-1 during installation of FreeBSD 6.2.<br /><br />Pre req; Server with two sata harddrives prefered same brand and make.<br />Assume,<br />Hdd 1 = ad0<br />Hdd 2 = ad1<br /><br />Start installation, select ad0 as hdd, choose packages add some accounts etc. But DO NOT REBOOT when done!<br />Go back to installation and start "Fix it" shell (ALT+F4)<br /><br /># sysctl kern.geom.debugflags=16<br /># gmirror label -v -b round-robin gm0 /dev/ad0<br /># echo geom_mirror_load="YES" >> /boot/loader.conf<br /># vi /etc/fstab<br />Edit : i<br /><br />add /mirror/ after dev and change ad0 to gm0<br /><br />Real world example below<br /><br />Device Mountpoint FStype Options Dump Pass<br />/dev/mirror/gm0s1b none swap sw 0 0<br />/dev/mirror/gm0s1a / ufs rw 1 1<br />/dev/mirror/gm0s1e /tmp ufs rw 2 2<br />/dev/mirror/gm0s1f /usr ufs rw 2 2<br />/dev/mirror/gm0s1d /var ufs rw 2 2<br />/dev/acd0 /cdrom cd9660 ro,noauto 0 0<br /><br /><br />Check config and reboot<br />Continue below if reboot successful<br /><br /># gmirror insert gm0 /dev/ad1<br /># gmirror status<br />Check status, ad1 (hdd 2) should start rebuilding from ad0 (hdd 1)<br /><br /><br />Source<br /><a href="http://www.onlamp.com/pub/a/bsd/2005/11/10/FreeBSD_Basics.html">http://www.onlamp.com/pub/a/bsd/2005/11/10/FreeBSD_Basics.html</a>Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-55740111619579484702007-05-21T13:15:00.000+02:002007-06-12T10:55:48.213+02:00Splunk Base 2.2.3 - FreeBSD installationSplunk Install on FreeBSD 6.2<br /><br />You have to install ports before proceeding<br /><br />cd /usr/ports/misc/compat5x<br />#make install clean<br /><br /><br />#mkdir /usr/local/src<br />cd /usr/local/src<br /><br />#pkg_add -r wget<br /><br /><br />#wget 'http://www.splunk.com/index.php/download_track?file=/2.2.3/freebsd/splunk-2.2.3-18173-freebsd-5.4-intel.tgz&ac=&amp;wget=true&name=wget'<br /><br />Override default installation directory (/opt/splunk) I think nonstandard stuff "should" go to /usr/local/.. ..<br /><br />#pkg_add -v -p /usr/local/src/ splunk-2.1-freebsd-5.4-intel.tgz<br /><br />Start Splunk<br />/usr/local/src/splunk/bin/splunk<br />..<br />License shows<br />..<br />Accept? y<br /><br />Splunk now listens on<br /><br />TCP<br />8000<br />8001<br />8089<br /><br /><br />If you want Splunk to listen for syslog,<br />be certain to keep it form starting on reboot.<br /><br /># vi /etc/rc.conf<br /><br />Add<br /><br />syslogd_enable="NO"<br /><br /><br />Then setup Splunk to run on startup<br /><br />#crontab -e<br /><br />@reboot /usr/local/src/splunk/bin/./splunk start<br /><br /><br />Done!<br /><br />Still, you need to enable local firewall for protectionNiklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com1tag:blogger.com,1999:blog-32199739.post-20194579643059495132007-05-21T11:04:00.000+02:002007-05-21T12:57:50.711+02:00PADS - Passive Asset Detection System"..It will listen to a network and attempt to provide an up-to-date look at the hosts and services running on the network."<br /><br /><a href="http://passive.sourceforge.net/">http://passive.sourceforge.net/</a><br /><br />Simple to run, maybe nohup or screen. Why not rc.d :)<br /><br />- - -<br /><br />$cat pads.em0<br /><br />#!/bin/sh<br />#A small PADS script, change values to match enviroment<br />#Define interface we use<br />INTERFACE=em0<br />#Define main directory we use, each interface gets a directory within<br />DIRECTORY=/nsm/pads<br />#Define local path to our binary<br />BINARY=/usr/local/bin/pads<br />#Define output<br />OUTPUT=assets.csv<br /><br />$BINARY -D -i $INTERFACE -w $DIRECTORY/$INTERFACE/$OUTPUT<br /><br />- - -Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-14135075624811983182007-05-21T10:42:00.000+02:002007-05-21T11:00:26.060+02:00Tethereal RingbufferSimple loggerscript, easy for running with nohup or screen.<br /><br />- - -<br /><br />#!/bin/sh<br />FILESIZE=1000000<br />FILENUMBER=200<br />INTERFACE=em0<br />/usr/local/bin/tethereal -n -i $INTERFACE -s 1515 -q -a filesize:$FILESIZE -b files:$FILENUMBER -w /nsm/em0/tethereal.fullcontent.ringbuffer.em0<br /><br />- - -<br /><br />Other tools<br /><br />Mr Bejtlich shows Deamonlogger, running ringbuffer using nonroot user/group.<br /><a href="http://taosecurity.blogspot.com/2007/04/daemonlogger-in-ring-buffer-mode.html">http://taosecurity.blogspot.com/2007/04/daemonlogger-in-ring-buffer-mode.html</a><br /><br />OpenBSD provides tcpdump builtin priv sep<br /><a href="http://ftp.bg.openbsd.org/OpenBSD/src/usr.sbin/tcpdump/privsep.c">http://ftp.bg.openbsd.org/OpenBSD/src/usr.sbin/tcpdump/privsep.c</a>Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-34148910490713829432007-05-04T08:17:00.000+02:002007-05-04T10:12:06.011+02:00SGUIL Setup Part 1<span style="color: rgb(0, 0, 0);font-family:arial;" > </span><br /><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_0" >Step</span><span style="color: rgb(255, 255, 255);font-family:arial;" > </span><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_1" >one</span><span style="color: rgb(255, 255, 255);font-family:arial;" >, </span><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_2" >acquire</span><span style="color: rgb(255, 255, 255);font-family:arial;" > </span><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_3" >hardware</span><span style="color: rgb(255, 255, 255);font-family:arial;" >!</span><br /><br /><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_4" >What</span><span style="color: rgb(255, 255, 255);font-family:arial;" > </span><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_5" >do</span><span style="color: rgb(255, 255, 255);font-family:arial;" > I </span><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_6" >have</span><span style="color: rgb(255, 255, 255);font-family:arial;" >?</span><br /><br /><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_7" >Today</span><br /><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_8" >Fujitsu</span><span style="color: rgb(255, 255, 255);font-family:arial;" > </span><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_9" >Siemens</span><span style="color: rgb(255, 255, 255);font-family:arial;" > </span><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_10" >RX</span><span style="color: rgb(255, 255, 255);font-family:arial;" >100 1U 2.4/512/80+320/3 NIC</span><br /><br /><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_11" >Future</span><br /><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_12" >1 HP</span><span style="color: rgb(255, 255, 255);font-family:arial;" > </span><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_13" >Proliant</span><span style="color: rgb(255, 255, 255);font-family:arial;" > DL380G3 2U 2.8/2048/72 + 72/2 NIC</span><br /><span style="color: rgb(255, 255, 255);">0SEK</span><br /><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_8" >2 Fujitsu</span><span style="color: rgb(255, 255, 255);font-family:arial;" > </span><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_9" >Siemens</span><span style="color: rgb(255, 255, 255);font-family:arial;" > </span><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_10" >RX</span><span style="color: rgb(255, 255, 255);font-family:arial;" >100 S2 1U 3.0/1500/250+250/3 NIC</span><br /><span style="color: rgb(255, 255, 255);">0SEK</span><br /><br /><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_14" >Needs</span><br /><br /><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_15" >TAP</span><span style="color: rgb(255, 255, 255);font-family:arial;" > - </span><br /><span style="color: rgb(255, 255, 255);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_16" >2 NetOptics</span><span style="color: rgb(255, 255, 255);font-family:arial;" > </span><a style="font-family: arial; color: rgb(255, 255, 255);" href="http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=4&Section=products&menuitem=1&tag=NetOptics+Network+Taps" class="prodHdr"><span class="prodHdr">10/100<span class="blsp-spelling-error" id="SPELLING_ERROR_17">BaseT</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_18">Tap</span></span></a><br /> <span style="color: rgb(255, 255, 255);"><span style="color: rgb(0, 0, 0);font-family:arial;" >P/N: </span><span style="color: rgb(0, 0, 0);font-family:arial;" class="blsp-spelling-error" id="SPELLING_ERROR_19" >TP-CU</span><span style="font-family:arial;"><span style="color: rgb(0, 0, 0);"> (96430)</span><br />3800SEK pcs<br /><br /><span style="color: rgb(0, 0, 0);">NIC -<br /></span></span></span><span style="color: rgb(255, 255, 255);" id="lblProductName" class="ProductDetailName">2 </span><span style="color: rgb(255, 255, 255);" id="lblProductName" class="ProductDetailName">INTEL PRO/1000PT DUAL PORT SERVER ADAPTER PCI-E</span><span style="color: rgb(255, 255, 255);" id="lblProductName" class="ProductDetailName"><br />P/N: EXPI9402PTBLK<br />1400SEK pcs<br /><br />HDD -<br />4 </span><span style="color: rgb(255, 255, 255);" id="lblProductName" class="ProductDetailName">SEAGATE BARRACUDA ES 250GB SATA/300 16MB<br /></span><table style="margin-top: 5px; margin-bottom: 3px; color: rgb(255, 255, 255);" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td class="tdInfoBox" valign="top"><br /></td> <td class="tdInfoBox" valign="top"><span id="lblManufProductID">P/N: ST3250620NS</span></td></tr></tbody></table><span style="color: rgb(255, 255, 255);">600SEK pcs</span><br /><br /><span style="color: rgb(255, 255, 255);">2 HP Universal Hard Drive - Hårddisk - 146.8 GB - hot-swap - 3.5" - Ultra320 SCSI - 10000 rpm</span><br /><span style="color: rgb(255, 255, 255);">P/N: 286716-B22</span><br /><span style="color: rgb(255, 255, 255);">2800SEK pcs</span>Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-79142565658873858862007-04-07T21:46:00.000+02:002007-04-07T21:49:19.089+02:00Kismet Maps with Google Mapping" The purpose of gpsmap-gmap is to plot all wireless networks found with kismet onto a google map."<br /><br /><br />http://parknation.com/gmap/<br />http://www.wirelessdefence.org/Contents/Kismet%20Wireless%20Mapping.htmNiklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0tag:blogger.com,1999:blog-32199739.post-91632597656820141922007-04-07T21:41:00.000+02:002007-04-07T21:44:25.976+02:00Minimize win32 surfacehttp://www.nliteos.com/nlite.html<br /><br />"nLite is a tool for permanent Windows components removal and pre-installation Windows configuration. After removal there is an option to make bootable image ready for burning on cd or testing in virtual machines.<br />With nLite you will be able to have Windows installation which on install does not include, or even contain on cd, the unwanted components."Niklas Erikssonhttp://www.blogger.com/profile/06229974262654005666noreply@blogger.com0