Wednesday, February 28, 2007
Cell Phone as Home Phone
Here is a pretty cool little device that converts your cell phone into your home phone. It is compatible with a number of wireless home phones on the market.
It's listed for $160, which is comprable to good 2.5 or 5.8 GHz phone sets out there.
Saturday, February 24, 2007
Torpedo Comics
Friday, February 23, 2007
Microsoft Security Analyzer
This is a good tool to scan systems remotely for security issues.
The checks that are of interest:
1. Security Patches
2. Weak passwords
3. Firewall running
Here are the pros & cons
Pros:
1. Can scan multiple systems
2. Does several good security checks
3. Easy to use GUI
Cons:
1. No command line
2. No plain-text/CSV report option
Friday, February 16, 2007
Default Password List
http://www.virus.org/default-password/view/All/1/
This is a nice collection of the default passwords for a wide range of products with and easy to use search.
'nuff said
Tuesday, February 06, 2007
SONET Basics
http://www.iec.org/online/tutorials/sonet/topic01.html
SONET defines a technology for carrying many signals of different capacities through a synchronous, flexible, optical hierarchy. This is accomplished by means of a byte-interleaved multiplexing scheme. Byte-interleaving simplifies multiplexing and offers end-to-end network management.
The first step in the SONET multiplexing process involves the generation of the lowest level or base signal. In SONET, this base signal is referred to as synchronous transport signal–level 1, or simply STS–1, which operates at 51.84 Mbps. Higher-level signals are integer multiples of STS–1, creating the family of STS–N signals in Table 1. An STS–N signal is composed of N byte-interleaved STS–1 signals. This table also includes the optical counterpart for each STS–N signal, designated optical carrier level N (OC–N).
Monday, February 05, 2007
Solaris & Active Directory
http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/
This is the best guide I've seen to getting the two to work together. I've worked on this before and have to say the initial documents from Sun were a little confusing.
This document seems to be pretty straight forward. Of course until I get my lab back up and running I can't try this out.
Sunday, February 04, 2007
Snort Signature Writing
http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node14.html
Here are the basics...
Rule format:
Action Protocol SrcIP SrcPort Direction DestIP DestPort (Packet Sig. | Msg)
Example:
alert tcp any any -> 192.168.0.1/24 111 (content "|00 01 86 a5|"; msg: "mountd access")
Dynamic rules sets are also explained.
CISCO: DoS Prevention
http://www.ciscopress.com/articles/article.asp?p=345618&rl=1
This is a excerpt from the book Cisco Firewall Router Security
A Denial-of-Service (DOS) attack can cause immense harm to your business. In this chapter, you can learn how to deal with such an attack, and minimize the damage done.
There are links to other chapters, but this excerpt will give you some information on detecting DoS attacks, on implementing ACLs, and tuning IP settings to help prevent or at least survive as DoS attack.
DTrace for Fun and Profit
Yeah, there is no way to sum up any of the info in the blog in a useful way. So check out these links, they provide different resources to learn the DTrace tools in Solaris.
- http://developers.sun.com/solaris/articles/dtrace_example.pdf
- Dynamic Tracing (DTrace) in the Solaris 10 OS, this article is a learn-by-example guide.
- http://www.sun.com/software/solaris/howtoguides/dtracehowto.jsp
- The DTrace How to Guide is intended to help a new user learn how to use DTrace for gathering and using system and application information from a Solaris 10 system
- http://developers.sun.com/solaris/articles/dtrace_quickref/dtrace_quickref.html
- This guide to Dynamic Tracing in the Solaris OS offers tables listing providers, functions, aggregating functions, variables, and built-in variables.
Windows Computer Investigation Guide
http://www.microsoft.com/technet/security/guidance/disasterrecovery/computer_investigation/default.mspx
This guide is intended for IT professionals in the United States who need a general understanding of computer investigations, including many of the procedures that can be used in such investigations and protocols for reporting incidentsA secondary bookmark that you will need to use this guide is Sysinternals:
http://www.microsoft.com/technet/sysinternals/default.mspx
Some of the tools I use most often in my investigations are:
- PSExec:
- Remotly execute processes with limited-user rights
- PSLoggedOn:
- Show users logged on to a system
- PSLogList:
- Dump event log records
- PSTools:
- The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
Checkpoint CLI guide
http://www.secwiz.com/Default.aspx?tabid=52
Here is the CLI guide to checkpoint FW-1
cphaprob state
Status of high availability modules, shows which gateway is active, standby and down
Fw tab –t
Displays firewall state tables
fw log –f
Displays the log continuously.
In general, each NG log file is composed of four files:
- xx.log — stores the log records
- Troubleshooting
- xx.logptr — pointers to beginning of each log record
- xx.loginitial_ptr — pointers to beginning of each log chain (logs with the same connection id)
- xx.logaccount_ptr — pointers to beginning of each accounting record.
- In the case of the audit log file the files are
- xx.adtlog
- xx.adtlogptr
- xx.adtloginitial_ptr
- xx.adtlogaccount_ptr
Netfilter or IPTables
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/ch-fw.html
This from RedHat, but it pertains to any system you install iptables on...it also has some basic firewall info like:
There is a distinction between the REJECT and DROP target actions. The REJECT target denies access and returns a connection refused error to users who attempt to connect to the service. The DROP, as the name implies, drops the packet without any warning to telnet users. Administrators can use their own discretion when using these targets; however, to avoid user confusion and attempts to continue connecting, the REJECT target is recommended.
Good guide to using IPTables.
Checkpoint: Performance Tuning
http://www.checkpoint.com/techsupport/documentation/FW-1_VPN-1_performance.html
This guide combines the Solaris performance and security tuning guides, but focuses specifically on the settings that effect your firewall performance.
Settings like:
- Tuning the STREAMS queues for high-throughput VPN-1 gateways
- set sq_max_size = 100 (for a Solaris gateway with 256MB RAM)
- Tuning the TCP hiwater parameters for maximal throughput
- ndd -set /dev/tcp tcp_xmit_hiwat 65535 (default 8192)
- ndd -set /dev/tcp tcp_recv_hiwat 65535 (default 8192)
- Tuning the TCP Slow Start and TCP queue sizes
- set tcp:tcp_conn_hash_size = 16384
- ndd -set /dev/tcp tcp_slow_start_initial 2 (default 1)
- ndd -set /dev/tcp tcp_conn_req_max_q 1024 (default 128)
- ndd -set /dev/tcp tcp_conn_req_max_q0 4096 (dafault 1024)
- ndd -set /dev/tcp tcp_time_wait_interval 60000 (default 240000)
Netscreen Basics
http://www.juniper.net/techpubs/software/erx/junose61/swconfig-system-basics/frameset.htm
This is everything you wanted to know about managing netscreen firewalls. Sadly it's in PDFs which make it a hassle, but this/these are the guides you want:
- CLI guide
- Writing CLI Macros
- HA guide
- Packet Mirroring
- Logging System Events (Includes event descriptions)
http://www.juniper.net/techpubs/software/erx/junose61/bookpdfs/swconfig-system-basics.pdf
Saturday, February 03, 2007
Solaris System Tuning
http://docs.sun.com/app/docs/doc/806-7009/6jftnqsiu?a=view
The most important thing to remember here is:
Make a copy of /etc/system before modifying it so you can easily recover from incorrect value
# cp /etc/system /etc/system.good
If a value entered in /etc/system causes the system to become unbootable, you can recover with the following command:
# boot -a
his command causes the system to ask for the name of various files used in the boot process. Press the carriage return to accept the default values until the name of the /etc/system file is requested. When the Name of system file [/etc/system]: prompt is displayed, enter the name of the good /etc/system file or /dev/null.
If /dev/null is entered, this path causes the system to attempt to read from /dev/null for its configuration information and because it is empty, the system uses the default values. After the system is booted, the /etc/system file can be corrected.
The guide will explain the different tunables, how to check performance, and when to change the settings.
Solaris: Kernel Tuning for Security
http://www.securityfocus.com/infocus/1385
This is specifically about tuning your network setting to prevent network based attacks. For example:
Worried about ARP attacks:
# ndd -set /dev/arp arp_cleanup_interval
# ndd -set /dev/ip ip_ire_flush_interval
How about IP forwarding or SRC routing:
# ndd -set /dev/ip ip_forwarding 0
# ndd -set /dev/ip ip_strict_dst_multihoming 0
# ndd -set /dev/ip ip_forward_directed_broadcasts 0
# ndd -set /dev/ip ip_forward_src_routed 0
How about SYN Floods? First you need to get a baseline of SYNs . Either of these commands will do:
# netstat -an -f inet | grep SYN_RCVD | wc -l
# netstat -s -P tcp
Then you need to read the guide
NMAP: More port scanning techniques
Explains how to use Nmap's:
TCP Null (option –sN), FIN (option –sF) and Xmas (option –sX) scans to get through non-statful firewalls and packet filtering routers.
IPID Idle scan (option -sI) to to map out IP-based trust relationships between machines, and get through firewalls.
TCP ACK scan (option -sA), to help map out firewall rule sets.
As well as many other ways to test firewall configurations.