Denise's Tech Blog

SplunkForwarder

blesseddlo — Tue, 18 Dec 2012 00:14:13 +0000

Install/Configure Splunkforwarder

# Download the universal forwarder from here: http://www.splunk.com/download/universalforwarder You will need an account to download it.
# Copy it up to the servers:



for i in IPADDRESS1 IPADDRESS2 ; do scp splunkforwarder-5.0.1-143156-linux-2.6-x86_64.rpm DLopez@$i: ; done

# Install RPM: *sudo rpm -ivh splunkforwarder-5.0.1-143156-linux-2.6-x86_64.rpm*
# Start splunk to create the necessary file structure:

root@sc9vl55:/data01/home/DLopez> /etc/init.d/splunk start
Starting Splunk…

Splunk> Finding your faults, just like mom.

Checking prerequisites…
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in ‘/opt/splunkforwarder/etc/auth’.
Checking conf files for typos… Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)… Done
[ OK ]

# Add the forward-server: */opt/splunkforwarder/bin/splunk add forward-server 10.92.13.195:9997*. Default user and password is *admin/changeme*. By default the inputs.conf and server.conf files are created on install of rpm, this add forward-server creates the outputs.conf file.
# Change the default credentials: */opt/splunkforwarder/bin/splunk edit user admin -password YOUR_NEW_PASSWORD -auth admin:changeme*
# Test forward connection: */opt/splunkforwarder/bin/splunk list forward-server*
# Finally add the data you want to forward: */opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app%*. Where /path/to/app/logs/ is the path to application logs on the host that you want to bring into Splunk, and %app% is the name you want to associate with that type of data. This will create an inputs.conf file here: */opt/splunkforwarder/etc/apps/search/local/inputs.conf*
# Restart splunk: */etc/init.d/splunk restart*

BEAST and CRIME SSL/TLS vulnerability

blesseddlo — Thu, 13 Dec 2012 18:36:56 +0000

I recently ran a vulnerability scan against my web servers and the BEAST and CRIME vulnerabilities.

RHEL5 Apache

Simple PCI DSS compliant and compatible setup for RHEL5 Apache with 3DES as last resort against BEAST:

SSLHonorCipherOrder On

SSLProtocol All -SSLv2

SSLCipherSuite RC4-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA

Simple CRIME reduction for same setup:

echo >>/etc/sysconfig/httpd export OPENSSL_NO_DEFAULT_ZLIB=1

You can test your websites URL here: https://www.ssllabs.com/ssltest/

Lighttpd

Edit the lighttpd.conf file and add the following for BEAST:

ssl.cipher-list = “ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM”
ssl.honor-cipher-order = enable

Splunk Node

This works for Splunk 4.3 or higher, there is no setting for versions below 4.3 for Ciphers. Edit the web.conf file and add the following:

enableSplunkWebSSL = true

supportSSLV3Only = true

cipherSuite = RC4+RSA:AES256-SHA:AES128-SHA:DES-CBC3-SHA:+HIGH:!MEDIUM:!LOW

For the CRIME vulnerability edit server.conf. My forwarders don’t need web enabled!

[httpServer]
disableDefaultPort = true

supportSSLV3Only = true

Test mail command line

blesseddlo — Tue, 17 Jul 2012 17:06:50 +0000

telnet mailserver_ip_address 25

EHLO

mail from: email@address.com

rcpt to: email@address.com

data

Enter text of mail message

. (to stop)

250 2.0.0 Message accepted for delivery

quit

Version of ESX from command line

blesseddlo — Mon, 16 Jul 2012 21:42:56 +0000

I got this from this blog: http://virtwo.blogspot.com/2010/10/which-esx-version-am-i-running-on.html

As root run: dmidecode | grep -A4 “BIOS Information”

BIOS Information
Vendor: Phoenix Technologies LTD
Version: 6.00
Release Date: 10/13/2009
Address: 0xEA2E0

Then match to below.

(An update of an older post: now with vSphere 4.1 info. Further updated in 2011 with vSphere 5 info.)
Your Linux runs on a VMware VM, but which ESX version is it ? You can see for yourself (as already explained in an earlier post on this blog). Run “dmidecode” and look at lines 10, 11 and 12. The list has been updated with current info:
ESX 2.5 – BIOS Release Date: 04/21/2004 – Address 0xE8480 – Size 97152 bytes
ESX 3.0 – BIOS Release Date: 04/17/2006 – Address 0xE7C70 – Size 99216 bytes
ESX 3.5 – BIOS Release Date: 01/30/2008 – Address 0xE7910 – Size 100080 bytes
ESX 4 – BIOS Release Date: 08/15/2008 – Address 0xEA6C0 – Size 88384 bytes
ESX 4U1 – BIOS Release Date: 09/22/2009 – Address 0xEA550 – Size 88752 bytes
ESX 4.1 – BIOS Release Date: 10/13/2009 – Address 0xEA2E0 – Size 89376 bytes
ESX 5 – BIOS Release Date: 01/07/2011 – Address 0xE72C0 – Size 101696 bytes

Convert .crt/.key to .pfx

blesseddlo — Thu, 07 Jun 2012 19:08:49 +0000

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt