SplunkForwarder

 Install/Configure Splunkforwarder

# Download the universal forwarder from here: http://www.splunk.com/download/universalforwarder You will need an account to download it.
# Copy it up to the servers:
<pre>
for i in IPADDRESS1 IPADDRESS2 ; do scp splunkforwarder-5.0.1-143156-linux-2.6-x86_64.rpm DLopez@$i: ; done
</pre>
# Install RPM: *sudo rpm -ivh splunkforwarder-5.0.1-143156-linux-2.6-x86_64.rpm*
# Start splunk to create the necessary file structure:
<pre>
root@sc9vl55:/data01/home/DLopez> /etc/init.d/splunk start
Starting Splunk…

Splunk> Finding your faults, just like mom.

Checking prerequisites…
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in ‘/opt/splunkforwarder/etc/auth’.
Checking conf files for typos… Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)… Done
[ OK ]
</pre>
# Add the forward-server: */opt/splunkforwarder/bin/splunk add forward-server 10.92.13.195:9997*. Default user and password is *admin/changeme*. By default the inputs.conf and server.conf files are created on install of rpm, this add forward-server creates the outputs.conf file.
# Change the default credentials: */opt/splunkforwarder/bin/splunk edit user admin -password YOUR_NEW_PASSWORD -auth admin:changeme*
# Test forward connection: */opt/splunkforwarder/bin/splunk list forward-server*
# Finally add the data you want to forward: */opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app%*. Where /path/to/app/logs/ is the path to application logs on the host that you want to bring into Splunk, and %app% is the name you want to associate with that type of data. This will create an inputs.conf file here: */opt/splunkforwarder/etc/apps/search/local/inputs.conf*
# Restart splunk: */etc/init.d/splunk restart*

BEAST and CRIME SSL/TLS vulnerability

I recently ran a vulnerability scan against my web servers and the BEAST and CRIME vulnerabilities.

RHEL5 Apache

Simple PCI DSS compliant and compatible setup for RHEL5 Apache with 3DES as last resort against BEAST:

SSLHonorCipherOrder On

SSLProtocol All -SSLv2

SSLCipherSuite RC4-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA

Simple CRIME reduction for same setup:

echo >>/etc/sysconfig/httpd export OPENSSL_NO_DEFAULT_ZLIB=1

You can test your websites URL here: https://www.ssllabs.com/ssltest/

Lighttpd

Edit the lighttpd.conf file and add  the following for BEAST:

ssl.cipher-list = “ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM”
ssl.honor-cipher-order = enable

Splunk Node

This works for Splunk 4.3 or higher, there is no setting for versions below 4.3 for Ciphers. Edit the web.conf file and add the following:

<nowiki>

enableSplunkWebSSL = true

supportSSLV3Only = true

cipherSuite = RC4+RSA:AES256-SHA:AES128-SHA:DES-CBC3-SHA:+HIGH:!MEDIUM:!LOW

</nowiki>

For the CRIME vulnerability edit server.conf. My forwarders don’t need web enabled!

<nowiki>

[httpServer]
disableDefaultPort = true

supportSSLV3Only = true

</nowiki>

Test mail command line

telnet mailserver_ip_address 25

EHLO

mail from: email@address.com

rcpt to: email@address.com

data

Enter text of mail message

. (to stop)

250 2.0.0 Message accepted for delivery

quit

Version of ESX from command line

I got this from this blog: http://virtwo.blogspot.com/2010/10/which-esx-version-am-i-running-on.html

As root run: dmidecode | grep -A4 “BIOS Information”

BIOS Information
Vendor: Phoenix Technologies LTD
Version: 6.00
Release Date: 10/13/2009
Address: 0xEA2E0

Then match to below.

(An update of an older post: now with vSphere 4.1 info. Further updated in 2011 with vSphere 5 info.)
Your Linux runs on a VMware VM, but which ESX version is it ? You can see for yourself (as already explained in an earlier post on this blog). Run “dmidecode” and look at lines 10, 11 and 12. The list has been updated with current info:
ESX 2.5 – BIOS Release Date: 04/21/2004 – Address 0xE8480 – Size 97152 bytes
ESX 3.0 – BIOS Release Date: 04/17/2006 – Address 0xE7C70 – Size 99216 bytes
ESX 3.5 – BIOS Release Date: 01/30/2008 – Address 0xE7910 – Size 100080 bytes
ESX 4 – BIOS Release Date: 08/15/2008 – Address 0xEA6C0 – Size 88384 bytes
ESX 4U1 – BIOS Release Date: 09/22/2009 – Address 0xEA550 – Size 88752 bytes
ESX 4.1 – BIOS Release Date: 10/13/2009 – Address 0xEA2E0 – Size 89376 bytes
ESX 5 – BIOS Release Date: 01/07/2011 – Address 0xE72C0 – Size 101696 bytes

Convert .crt/.key to .pfx

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

E-mail

Testing Reverse DNS Lookup

[dlopez@hostname ~]$ *dig mail-relay.prod.domain.com. +nocomments | egrep “NS|A”*
;mail-relay.prod.domain.com. IN A
mail-relay.prod.domain.com. 6 IN A IPAddress
domain.com. 86138 IN NS pdns1.ultradns.net.
domain.com. 86138 IN NS pdns5.ultradns.info.
domain.com. 86138 IN NS pdns2.ultradns.net.
domain.com. 86138 IN NS pdns4.ultradns.org.
domain.com. 86138 IN NS pdns6.ultradns.co.uk.
domain.com. 86138 IN NS pdns3.ultradns.org.
pdns1.ultradns.net. 1360 IN A 204.74.108.1
pdns1.ultradns.net. 1360 IN AAAA 2001:502:f3ff::1
pdns2.ultradns.net. 772 IN A 204.74.109.1
pdns3.ultradns.org. 3252 IN A 199.7.68.1
pdns4.ultradns.org. 3252 IN A 199.7.69.1
pdns4.ultradns.org. 3252 IN AAAA 2001:502:4612::1
pdns5.ultradns.info. 2412 IN A 204.74.114.1
pdns6.ultradns.co.uk. 120 IN A 204.74.115.1
;; WHEN: Mon Apr 9 20:00:02 2012
[bfisher@hostname ~]$ *dig -x IPAddress +nocomments | egrep “NS|PTR”*
;IPAddress.in-addr.arpa. IN PTR
IPAddress.in-addr.arpa. 65939 IN PTR mail-relay.prod.domain.com.
IPAddress.in-addr.arpa. 65939 IN NS pdns4.ultradns.org.
IPAddress.in-addr.arpa. 65939 IN NS pdns1.ultradns.net.
IPAddress.in-addr.arpa. 65939 IN NS pdns3.ultradns.org.
IPAddress.in-addr.arpa. 65939 IN NS pdns6.ultradns.co.uk.
IPAddress.in-addr.arpa. 65939 IN NS pdns5.ultradns.info.
IPAddress.in-addr.arpa. 65939 IN NS pdns2.ultradns.net.
[dlopez@hostname ~]$

You can also check http://www.mxtoolbox.com/SuperTool.aspx and type in IPAddress

Check for Blacklisting

Check http://www.mxtoolbox.com/SuperTool.aspx click the Blacklists tab and enter IP address.

Enable SSH on Fedora 16

Enable sshd service.

$ systemctl enable sshd.service
start sshd service

$ systemctl start sshd.service
check sshd status if needed.

$ systemctl status sshd.service
restart sshd service, when needed.

$ systemctl restart sshd.service
stop sshd service and duck down

$ systemctl stop sshd.service
well, make sure you have port 22 open.

$ system-config-firewall

Follow

Get every new post delivered to your Inbox.