Fire UP CPAN on UBUNTU

To fire up the CPAN module, just get to your command line and run this:
perl -MCPAN -e shell

Once you find yourself staring at the

Cpan c> command prompt, installing a module is as easy as install MODULE::NAME - for example, to
install the HTML::Template module you'd type:
cpan> install HTML::Template
Install the SNMP service on CentOS.

yum install net-snmp

mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.org
vim /etc/snmp/snmpd.conf

rocommunity public 192.168.x.x

P.S. - Replace 192.168.x.x with the IP address of the server that you want to allow SNMP
lookups from:

/etc/init.d/snmpd start
chkconfig snmpd on

In firewall open UDP port 161 to your SNMP lookup server.

And Test -
snmpwalk -v 2c -c public 192.168.x.x
To configure the service to be automatically started at boot time, use the following command:
chkconfig snmpd on
This will enable the service in runlevel 2, 3, 4, and 5. Alternatively, you can use the Service
Configuration utility as described in Section 11.2.1.1, Enabling and Disabling a Service.
Debug a shell Script
Bash x PATH OF THE SCRIPT
Bash x /sbin/bash01.sh
nmap -A -T4 10.10.1.12: this command allows you to do a trace route into the ip
and check the version of the OS running into the machine.

-A: OS VERSION
T4: TRACE ROUTE
Unknown timing mode (-T argument). Use either "Paranoid", "Sneaky", "Polite", "Normal",
"Aggressive", "Insane" or a number from 0 (Paranoid) to 5 (Insane)
This cmd below allows you to search in a file named.reversos.conf and find
wherever is 41.210.222.131 and replace it with 41.210.222.60 and write to a file
output_file
sed 's/41.210.222.131/41.210.222.60/g' named.reversos.conf > output_file
sed s/what to find /what to replace/g which file to search > whr to display it
Probing a device: SNMP WALKs

v2c = verso do SNMP
-C = community
Snmpwalk v2c c <community> <ip do switch>
snmpwalk -v2c -c mvcsnmp-mng-rw 172.16.30.20

When you decide that you want to write an SNMP monitoring application for a given device you
need to start by understanding what is available to you. If you have a MIB you can read through
it to get a feel. If you have MIB documentation you have an even better leg up. Whether you
have a MIB or not, the best way to start out is to walk the device asking the device agent for
every value it can supply you. Given this output you can then know exactly what is being
reported where and how you want to tackle it in code. The snmpwalk tool can walk the OID tree
based on a starting OID or by default with no OID, which just returns the MIB-II OIDs.
Lets walk a device (APC UPS) and look at what is output using the snmpwalk command.
$ snmpwalk -v1 -c public 10.10.1.224

I found the, or a, solution:
The key step I was missing was how to find the Hardware Wizard:
1. Click the Start menu.
2. Search for cmd".
3. Right-click on cmd and select Run as Administrator
4. Enter hdwwiz.exe
From that point on it's the same approach as under Vista, i.e.:
1. In the "Welcome to the Add Hardware Wizard", click Next.
2. Select "Install the hardware that I manually select from a list (Advanced)" and
click Next.
3. Scroll down and select "Network adapters" and click Next.
4. Select under Manufacturer "Microsoft" and then under Network Adapter
"Microsoft Loopback Adapter" and click Next.
I've tested this and it's working for me (connecting the host to a VPC using the
loopback adapter).
http://www.youtube.com/watch?v=2wvSzbhMLSQ

http://www.cisco.com/en/US/products/sw/ ... ml#wp70999

Task 3: Configure Your Router to Support SDM

You can install and run SDM on a router that is already in use without
disrupting network traffic, but you must ensure that a few
configuration settings are present in the router configuration file.

Access the CLI using Telnet or the console connection to modify the
existing configuration before installing SDM on your router.

Step 1 Enable the HTTP and HTTPS servers on your router by
entering the following commands in global configuration mode:

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# ip http server

Router(config)# ip http secure-server

Router(config)# ip http authentication local

Router(config)# ip http timeout-policy idle 600 life 86400 requests
10000
Testing Link Status from the Command Line
Both the mii-tool and ethtool commands command will provide reports on the link
status and duplex settings for supported NICs.
When used without any switches, the mii-tool gives a very brief report. Use it with the -
v switch because it provides more information on the supported auto-negotiation speeds
of the NIC and this can be useful in miit-troubleshooting speed and duplex issues.
The ethtool command provides much more information than mii-tool and should be
your command of choice, especially because mii-tool will be soon deprecated in Linux.
In both of the following examples the NICs are operating at 100Mbps, full duplex and
the link is ok.

Link Status Output from mii-tool
[root@bigboy tmp]# mii-tool -v
Link Status Output from ethtool
[root@bigboy tmp]# ethtool eth0

Using MTR To Detect Network Congestion
Matt's trace-route is an application you can use to do a repeated trace-route in real time;
it dynamically shows the round-trip time to reach each hop along the trace-route path.
The constant updates enable you not only to visually determine which hops are slow,
but also to determine when they appear to be slow. It is a good tool to use whenever you
suspect there is some intermittent network congestion.
You type in the word mtr followed by the target IP address to get output similar to the
following:
[root@bigboy tmp]# mtr 192.168.25.26
The following is an example of tcpdump being used to view ICMP ping packets going
through interface wlan0:
[root@bigboy tmp]# tcpdump -i wlan0 icmp
In this example:
The first column of data is a packet timestamp.
The second column of data shows the packet source and then the destination IP
address or server name of the packet.
The third column shows the packet type.
Two-way communication is occurring as each echo gets an echo reply.
The following example shows tcpdump being used to view packets on interface wlan0
to/from host 192.168.1.102 on TCP port 22 with no timestamps in the output (-t switch).
[root@bigboy tmp]# tcpdump -i wlan0 -t host 192.168.1.102
and tcp port 22
Table 4-5 : Useful tshark Expressions
tshark command
expression
Description
host host-address View packets from the IP address host-address
icmp View icmp packets
tcp port port-number
View TCP packets with packets with either a source or
destination TCP port of port-number
udp port port-number
View UDP packets with either a source or destination UDP
port of port-number
In the next example we're trying to observe an HTTP (TCP port 80) packet flow
between server smallfry at address 192.168.1.102 and bigboy at IP address
192.168.1.100. The tshark output groups the IP addresses and TCP ports together and
then provides the TCP flags, followed by the sequence numbering. It may not be
apparent on this page, but the formatting lines up in neat columns on your screen,
making analysis much easier. Also notice how the command line mimics that of
tcpdump.
[root@smallfry tmp]# tshark -i eth0 tcp port 80 and host
192.168.1.100
Commonly Used NMAP Options
Argument Description
-P0
Nmap first attempts to ping a host before scanning it. If the server is being
protected from ping queries, then you can use this option to force it to
scan anyway.
-T
Defines the timing between the packets set during a port scan. Some
firewalls can detect the arrival of too many non-standard packets within a
predetermined time frame. This option can be used to send them from 60
seconds apart with a value of "5" also known as insane mode to 0.3
seconds with a value of "0" in paranoid mode.
-O
This will try to detect the operating system of the remote server based on
known responses to various types of packets.
-p
Lists the TCP/IP port range to scan.
-s
Defines a variety of scan methods that use either packets that comply with
the TCP/IP standard or are in violation of it.
Here is an example of us trying to do a scan using valid TCP connections (-sT) in the
extremely slow "insane" mode (-T 5) from ports 1 to 5000.
[root@bigboy tmp]# nmap -sT -T 5 -p 1-5000 192.168.1.153

NMAP
Dont ping -PN
With this option Nmap simply dont ping the target/s
sudo nmap -PN 192.168.1.34

CHECK THE OPERATING SYSTEM OF THE DEVICE.
Nmap A T4 P0 41.210.222.130
Only Ping scan -sP
This is used to perform simple ping scan of the specified host
sudo nmap -sP 192.168.1.34
This scan is useful when you want to do a quick search of the target network to see
which hosts are online without actually scanning the targets for open ports
ARP Ping scan
The PR option instructs nmap to perform an ARP (Address Resolution Protocol) ping
scan on the desired target ip.
sudo nmap PR 192.168.1.3

You can scan a range of IP address too:
nmap 192.168.1.1-20
nmap 192.168.1.*
#6: Find out if a host/network is protected by a firewall
nmap -sA 192.168.1.254
nmap -sA server1.cyberciti.biz
#7: Scan a host when protected by the firewall
nmap -PN 192.168.1.1 nmap -PN server1.cyberciti.biz
Performing Fast scan:
The F option instructs nmap to perform a scan of only the 100 most commonly used
ports
sudo nmap F 192.168.1.34
Scan only specific portsThe -p option is used to instruct nmap to scan the specified
port(s)
To check if the telnet port is open:
sudo nmap p23 192.168.1.34
$ sudo nmap p 22,25,53 ,80-200 192.168.1.34

Operating system and service detection
The -O parameter enables Nmaps O.S Detection feature in the scan
nmap -O 192.168.1.34

Service version detection
The -sV parameter is used to detect version of services
$ nmap -sV 192.168.1.34

The maximum size of the connection-tracking table can be increased. The maximum
size value is stored in the router's proc file system in the file
/proc/sys/net/ipv4/ip_conntrack_max. Increasing the maximum size of the connection
tracking table to a value larger than the total number fo connections will eliminate the
error message and prevent the router from dropping connections due to a lack of space
in the connection tracking table.

Each connection uses approximately 350 bytes of memory, so 16384 connections
would allocate 5.7 MB of RAM. In most cases, the default value is sufficient, but
ImageStream recommends that operators encountering the "table full" message
increase the value to either 16384 or 32768 entries. The default firewall configuration
file (/etc/rc.d/rc.firewall, available from the router's Firewall/QoS menu) contains the
command to increase this value:
#####################################################################
##########
# If you have NAT rules and get a "ip_conntrack: table full, dropping
packet."#
# message in your kernel message log (dmesg), increase the maximum
number of #
# connections that can be tracked by uncommenting the line below
#
# Each connection uses ~ 350 bytes of memory. 16384 = 5.7 MB
#
#####################################################################
##########
#echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max


find files with the world write
find / -type f -perm -2 -print
finding files with world read access
find / -type f - perm -4 -print
nc
Hiding tracks

Once inside a network, an attacker will:
Kill the history file
**** ln -sf /dev/null .bash_history
check for the crontab
******* crontab -l

Establish Rouge accounts
******* passwd uucp
hide files mkdir /tmp/...
Establish backdoors
nc -l -p 6666
clean logs
******** wtmp/utmp/messages/secure/xferlog/var/log/httpd
conduct password cracking attacks
How Do I Create a New ext3 File System
First, create the partition using the fdisk command line utility. To start fdisk, type the
following command at a shell prompt. You need a device name refers to the entire hard
disk.
# fdisk /dev/device-name
# fdisk /dev/sdb
Type n then p, to create a new (n) primary (p) partition
After the fdisk command session (which makes changes to partition table) just type the
following command:
# partprobe
OR
# partprobe /dev/sdX
Format hard disk
To format the partition with the ext3 file system use mke2fs command
# mke2fs -j /path/to/partition
# mke2fs -j /dev/sdb1
Update /etc/fstab
Create a mount point:
# mkdir /disk2
Edit the /etc/fstab to include the new partition
# vi /etc/fstab
Append the new line as follows:
/dev/sdb1 /disk2 ext3 defaults 1 2
To mount, enter: 936 85-70-57
# mount a
# df H
HOW TO DISABLE REMOTE ROOT ACESS INTO LINUX MACHINE

Why would you do this? Well everyone knows that 'root' (the username) is the admin of
your box, so by denying 'root' remote access to ssh into your box you are making it just a
wee bit harder for the hackers to get into your box since now they will have to guess a
username on your box.

1. As root,
Vi /etc/ssh/sshd_config

2. In there find (or create) a line that reads


Quote
# Authentication:
#LoginGraceTime 120
PermitRootLogin no
#StrictModes yes

The line PermitRootLogin no is the important one. Note there is no # in front of it.

3. Once you have made those changes, save the file (esc then: wq).

4. Restart sshd (service sshd restart).

With this line root cannot ssh into the box. To become root, ssh in as a normal user then
use su - to become root once logged in.



HOSTS.ALLOW LINUX CONFIGURATION FILE
ALL: 192.168.24.
ALL: 192.168.23.
ALL: 192.168.4.40
ALL: 10.10.1.100
ALL: 41.210.255.49
ALL: 41.210.254.
ALL: 41.210.222.
ALL: 41.210.252.69/29
ALL: 10.8.11.29
ALL: 197.241.128.0/18
ALL: 10.80.0.0/16
ALL: 10.119.252.0/22
ALL: 10.72.0.0/16
ALL: 10.10.2.103
sendmail: 127.0.0.1
vsftpd: 41.210.192.0/255.255.192.0
vsftpd: 127.0.0.1
vsftpd: ALL

HOSTS.DENY LINUX CONFIGURATION FILE
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
ALL: ALL



AAA NOTAS
Passos para reiniciar o servio:
1 Para o navis radius.
2 parar o ldap
3- Se for necessrio reiniciar o servidor quando levantar ambos servios
estaro ativos.
4 se no iniciar o ldap
5- iniciar o navis radius
6- verificar se os clientes esto a conectar-se; nos logs do radius.
7- fim

OBS: In a Worst-case scenario, in case we restart the server and if neither the service
(nr) nor the database (Ldap) does come up we first start the database than we start
the server.
To check whether the clients are able to authenticate to the triple A, we go under the
folder: /radius/log and execute the command tail f followed by the name of the file
that needs to be executed.
Authentication of the dongle: A12 and PPP
The Navis Radius service can be found in the directory below.
To check whether the service is running or not you type the list command.
/opt/Lucent/NavisRadius/bin/nr list

IPTABLES
iptables -I INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 2 -j REJECT
this rule is applied to limit the number of tcp connections via ssh. This will allow only
two connection into server.
NOTE: Before we do that we need to load modprobe xt_connlimit from a cmd line and
add this entry into the rc.local file to allow to load this module every time the system
restart.
This option is the /etc/rc.local script. This file runs after all other init level scripts have
run, so its safe to put various commands that you want to have issued upon startup

For instance, once I had a machine that, for some reason, samba seemed to not want
to start. Even afer checking to make sure the Samba daemon was setup to initialize at
boot up. So instead of spending all of my time up front with this I simply placed the
line:
/etc/init.d/samba start

How do you restart all services instead of doing it one by one?
EG: /etc/init.d/httpd restart
How do I restart everything in /etc/init.d ?
Init 2 on ubuntu
Init 5 on red hat

The following line makes the user program test.plostensibly a Perl script
run every two hours, at midnight, 2am, 4am, 6am, 8am, and so on:
0 */2 * * * /home/username/test.pl



cron permissions[edit source | editbeta]
The following two files play an important role:
/etc/cron.allow - If this file exists, it must contain your username for you to use
cron jobs.less 8
/etc/cron.deny - If the cron.allow file does not exist but the /etc/cron.deny file does
exist then, to use cron jobs, you must not be listed in the /etc/cron.deny file.
Note that if neither of these files exist then, depending on site-dependent
configuration parameters, either only the super user can use cron jobs, or all
users can use cron jobs.
Field Description Allowed Value
MIN Minute field 0 to 59
HOUR Hour field 0 to 23
DOM Day of Month 1-31
MON Month field 1-12
DOW Day Of Week 0-6
CMD Command Any command to be executed

How to turn a regular user to have root access into account
Open a file /etc/sudoers, and make sure this line is configured as the line below
## Allows people in group wheel to run all commands
%adm ALL=(ALL) ALL
after this change the user group to usermod g 4 felix where felix is the name of the
user.

SECURING YOUR WINDOWS WEB SERVERS
Disable NetBIOS and SMB
Disable all unnecessary protocols, including NetBIOS and SMB. Web servers do not
require NetBIOS or SMB on their Internet-facing network interface cards (NICs).
Disable these protocols to counter the threat of host enumeration.
Note The SMB protocol can return rich information about a computer to
unauthenticated users over a Null session. You can block null sessions by setting the
RestrictAnonymous registry key as described in "Step 9. Registry."
Note Test your changes before implementing them in production. Disabling sharing or
NetBIOS can negatively impact manageability for your scenario. For example, IIS uses
the NetUserChangePassword API which depends on NetBIOS. If you permit users to
change passwords through IIS, this will no longer work.

Disabling NetBIOS
NetBIOS uses the following ports:
TCP and User Datagram Protocol (UDP) port 137 (NetBIOS name service)
TCP and UDP port 138 (NetBIOS datagram service)
TCP and UDP port 139 (NetBIOS session service)
Disabling NetBIOS is not sufficient to prevent SMB communication because if a
standard NetBIOS port is unavailable, SMB uses TCP port 445. (This port is referred to
as the SMB Direct Host.) As a result, you must take steps to disable NetBIOS and SMB
separately.
To disable NetBIOS over TCP/IP
Note This procedure disables the Nbt.sys driver and requires that you restart the
system.
Right-click My Computer on the desktop, and click Manage.
Expand System Tools, and select Device Manager.
Right-click Device Manager, point to View, and click Show hidden devices.
Expand Non-Plug and Play Drivers.
Right-click NetBios over Tcpip, and click Disable.
This disables the NetBIOS direct host listener on TCP 445 and UDP 445.
Disabling SMB
SMB uses the following ports:
TCP port 139
TCP port 445
To disable SMB, use the TCP/IP properties dialog box in your Local Area Connection
properties to unbind SMB from the Internet-facing port.
To unbind SMB from the Internet-facing port
1. Click the Start menu, point to Settings, and click Network and Dial-up
Connections.
2. Right-click your Internet-facing connection, and click Properties.
3. Clear the Client for Microsoft Networks box.
4. Clear the File and Printer Sharing for Microsoft Networks box.
Note The WINS tab of the Advanced TCP/IP Settings dialog box contains a Disable
NetBIOS over TCP/IP radio button. Selecting this option disables the NetBIOS session
service that uses TCP port 139. It does not disable SMB completely. To do so, use the
procedure above.


Step 5. Accounts
You should remove accounts that are not used because an attacker might discover and
use them. Require strong passwords. Weak passwords increase the likelihood of a
successful brute force or dictionary attack. Use least privilege. An attacker can use
accounts with too much privilege to gain access to unauthorized resources.
During this step, you:
Delete or disable unused accounts.
Disable the Guest account.
Rename the Administrator account.
Disable the IUSR Account.
Create a custom anonymous Web account.
Enforce strong password policies.
Restrict remote logons.
Disable Null sessions (anonymous logons).
Disable the IUSR Account
Disable the default anonymous Internet user account, IUSR_MACHINE. This is created
during IIS installation. MACHINE is the NetBIOS name of your server at IIS installation
time.
Create a Custom Anonymous Web Account
If your applications support anonymous access (for example, because they use a
custom authentication mechanism such as Forms authentication), create a custom
least privileged anonymous account. If you run IISLockdown, add your custom user to
the Web Anonymous Users group that is created. IISLockdown denies access to system
utilities and the ability to write to Web content directories for the Web Anonymous
Users group
If your Web server hosts multiple Web applications, you may want to use multiple
anonymous accounts, one per application, so that you can secure and audit the
operations of each application independently
Restrict Remote Logons
Remove the Access this computer from the network privilege from the Everyone
group to restrict who can log on to the server remotely.



Disable Null Sessions (Anonymous Logons)
Restrict Null sessions by setting RestrictAnonymous to 1 in the registry at the following
subkey:
HKLM\System\CurrentControlSet\Control\LSA\RestrictAnonymous=1
The Restrict Anonymous SSA check determines whether the RestrictAnonymous
registry setting is used to restrict anonymous connections on the scanned computer.
The registry setting is at the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous
For more information, see Microsoft Knowledge Base article 246261, "How To: Use the
RestrictAnonymous Registry Value in Windows 2000."
For more information on using RestrictAnonymous in Windows Server 2003, see
RestrictAnonymouse.