http://qmailrocks.org/
MSC,MCP,CCNA,CCNP,CCNSP,JNCIA,JNCIS-SEC......... Personal Web: http://www.tayabkhan.com
Monday, December 17, 2012
Tuesday, December 4, 2012
Proxy or Other Log Manage via Web with Squint
Install Squint and Adopt Your system this way
========================== royalmcuc@yahoo.com
REQUIREMENTS
=>Squid proxy server
=>Perl (/usr/bin/perl)
=> Apache (to view documents), or a local web browser
=>Lotsa CPU time (it is very inefficient) (did I mention that it
is inefficient?)
Steps of INSTALLATION
1) Download squint from web
www.ledge.co.za/software/squint/squint.tar.gz
2) # tar -zxvf squint.tar.gz
cd squint
make
make install
make init
make example
3) # cp squint.pl squint.cron.sh /usr/local/bin
Install the binaries in a nice place
4) squint.cron.sh init
This creates a place for the reports in /usr/local/httpd/htdocs (or
whereever the htdocs directory is found). It installs a crontab entry
to run the report daily, weekly and monthly. You may wish to edit the
crontab entry first -- the system has not been optimised for security,
and runs (unnecessarily) as the user root, rather than the user squid.
5) # squint.cron.sh all
Create current daily, weekly and monthly reports -- don't do this
twice! -- the reports get rotated every time you run the task, so
things can get a little messy.
6) # squint.cron.sh regen
Recreate all the reports for your initial system, and also
for when the program manges to mess things up.
# ---------------------------------------------------------------------------
# Jan Henkins of Obsidian (obsidian.co.za) contributed these instructions,
# which may or may not correspond to the current version of squint.
Install Squint
==============
First things first:
-------------------
[ Update: REPORTS has been removed - important environment variables are now
BASEDIR (reports) and LOGDIR (squid logs) ]
After you have unpacked the squint-xxxxxxxx.tar.gz file, go into the
directory that was created. Before you install squint, check and edit
the squint.cron.sh file to reflect the correct paths to where you want
things to be put. Pay special attention to the REPORTS variable (line 3)
for a valid path to your HTML document root, and the "find" statement on
line 45 to point to the correct directory where your squid stores it's
logs.
Installing the software:
------------------------
Simply run "make install", and make will put things in /usr/local/bin
Installing the crontab entry:
-----------------------------
Normally you can do this yourself, but the Makefile allows you to install
it automatically by running "make init". This will add an entry to the
bottom of the /etc/crontab file, as well as run the squint analyzer to
create you your first set of files in the HTML directory you have specified.
Your crontab entry should look something like this:
7) squint squid reports
Edit crontab
30 14 * * Fri root /usr/local/bin/squint.cron.sh weekly
00 01 * 1 * root /usr/local/bin/squint.cron.sh monthly
00 01 * * * root /usr/local/bin/squint.cron.sh daily
8) Use this link vi web http://yourserverip/squint
For any query contact with me ,,, royalmcuc@yahoo.com
========================== royalmcuc@yahoo.com
REQUIREMENTS
=>Squid proxy server
=>Perl (/usr/bin/perl)
=> Apache (to view documents), or a local web browser
=>Lotsa CPU time (it is very inefficient) (did I mention that it
is inefficient?)
Steps of INSTALLATION
1) Download squint from web
www.ledge.co.za/software/squint/squint.tar.gz
2) # tar -zxvf squint.tar.gz
cd squint
make
make install
make init
make example
3) # cp squint.pl squint.cron.sh /usr/local/bin
Install the binaries in a nice place
4) squint.cron.sh init
This creates a place for the reports in /usr/local/httpd/htdocs (or
whereever the htdocs directory is found). It installs a crontab entry
to run the report daily, weekly and monthly. You may wish to edit the
crontab entry first -- the system has not been optimised for security,
and runs (unnecessarily) as the user root, rather than the user squid.
5) # squint.cron.sh all
Create current daily, weekly and monthly reports -- don't do this
twice! -- the reports get rotated every time you run the task, so
things can get a little messy.
6) # squint.cron.sh regen
Recreate all the reports for your initial system, and also
for when the program manges to mess things up.
# ---------------------------------------------------------------------------
# Jan Henkins of Obsidian (obsidian.co.za) contributed these instructions,
# which may or may not correspond to the current version of squint.
Install Squint
==============
First things first:
-------------------
[ Update: REPORTS has been removed - important environment variables are now
BASEDIR (reports) and LOGDIR (squid logs) ]
After you have unpacked the squint-xxxxxxxx.tar.gz file, go into the
directory that was created. Before you install squint, check and edit
the squint.cron.sh file to reflect the correct paths to where you want
things to be put. Pay special attention to the REPORTS variable (line 3)
for a valid path to your HTML document root, and the "find" statement on
line 45 to point to the correct directory where your squid stores it's
logs.
Installing the software:
------------------------
Simply run "make install", and make will put things in /usr/local/bin
Installing the crontab entry:
-----------------------------
Normally you can do this yourself, but the Makefile allows you to install
it automatically by running "make init". This will add an entry to the
bottom of the /etc/crontab file, as well as run the squint analyzer to
create you your first set of files in the HTML directory you have specified.
Your crontab entry should look something like this:
7) squint squid reports
Edit crontab
30 14 * * Fri root /usr/local/bin/squint.cron.sh weekly
00 01 * 1 * root /usr/local/bin/squint.cron.sh monthly
00 01 * * * root /usr/local/bin/squint.cron.sh daily
8) Use this link vi web http://yourserverip/squint
For any query contact with me ,,, royalmcuc@yahoo.com
Monday, November 26, 2012
Network Monitoring System (NMS) with CactiEZ
Setp 1) First Download CactiEZ via torrents:
http://cactiez.cactiusers.org/torrents/CactiEZ-v0.7.torrent
It is IOS based and this NMS included with Linux Operating system:
Features:
- Centos 6 x64
- Cacti v0.8.8a
- Plugin Architecture
- Spine Poller
- Netflow Collection
- Syslog Collection
- Thresholding
- Weathermaps
- Auto-Discovery
Another Download Link:
Sept 2) Extract and Burn the CD Image
Setp3) Configure a Cisco Router for SNMP
There's more to the process, such as security concerns, but this will get you access to the router's SNMP information.
1. Login to the router and enter the global configuration mode
cisco# conf t
cisco# conf t
2. Configure the SNMP community string
cisco(config)# snmp-server community CactiMonitoring ro
3. Save your router configuration
cisco# copy running-config startup-config
cisco(config)# snmp-server community CactiMonitoring ro
3. Save your router configuration
cisco# copy running-config startup-config
4. Document the community string, an option is to use KeePass to securely document passwords and such.
Login Information
Some useful info you will need. You can also see this information by pressing F6 at the CD Installation prompt.
To login to cacti (it prompts to change this)
user: admin
pass: admin
pass: admin
Get to webmin at (requires the root user / pass)
https://serverip:10000
To configure nagios
user: nagiosadmin
pass: CactiEZ
pass: CactiEZ
Tuesday, October 9, 2012
Juniper Command (snmp) Tips
=================
Tayab@M7i> show configuration | display set
set version 11.4R1.14
===============================
set snmp location NOC
set snmp contact "tayab@ictsolutionsforall.com"
set snmp community public authorization read-only
set snmp community public clients 192.168.0.0/16
set snmp community public clients 0.0.0.0/0 restrict
set snmp health-monitor
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.2
=======================
Delete rules
delete set snmp community public authorization read-only
commit
Postfix/ Squirrelmail/ Webmail Time, MailBOX, related Tips
============
Time problem in webmail/ squirrelmail time problem / mail transfer time is wrong
vi /etc/php.ini
date.timezone = "Asia/Dhaka"
======================
If mail box not show in squirrelmail webmail
vi /etc/dovecot.conf
mail_location = mbox:~/mail:INBOX=/var/mail/%u
# mail_location = maildir:~/Maildir
/etc/init.d/dovecot restart
#### /usr/share/squirrelmail/config/conf.pl
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Server Settings
General
-------
1. Domain : tayabkhan.com
2. Invert Time : false
3.
Sendmail or SMTP : SMTP
A. Update IMAP Settings : localhost:143 (uw)
B. Update SMTP Settings : localhost:25
R Return to Main Menu
C Turn color on
S Save data
Q Quit
===========================================
Time problem in webmail/ squirrelmail time problem / mail transfer time is wrong
vi /etc/php.ini
date.timezone = "Asia/Dhaka"
=================================
SquirrelMail
==========================
First find all email from /home in passwd_new file
cat passwd_new | awk -F: {'print "chown -R "$1":"$1"/home/"$1"/mail"'} > chown_change
chmod 755 chown_change
then ./chown_change
Squirrelmail location change
<VirtualHost *:80>
DocumentRoot
/usr/share/squirrelmail/
ServerName mail.synergiesbangladesh.com
</VirtualHost>
=================
IF error message shows "(unknown mail transport error)"
Just copy the /etc/services file to
/var/spool/postfix/etc/
And restart the postfix.
/var/spool/postfix/etc/resolv.conf and /etc/resolv.conf are equal:
========================
Thursday, August 23, 2012
script for mailq delete
-----------------------
Debian/CentOS postfix mail delete script
----------------------------
cat removemail
#!/usr/bin/perl
$REGEXP = shift || die "no email-adress given (regexp-style, e.g. bl.*\@yahoo.com)!";
@data = qx</usr/sbin/postqueue -p>;
for (@data) {
if (/^(\w+)(\*|\!)?\s/) {
$queue_id = $1;
}
if($queue_id) {
if (/$REGEXP/i) {
$Q{$queue_id} = 1;
$queue_id = "";
}
}
}
#open(POSTSUPER,"|cat") || die "couldn't open postsuper" ;
open(POSTSUPER,"|/usr/sbin/postsuper -d -") || die "couldn't open postsuper" ;
foreach (keys %Q) {
print POSTSUPER "$_\n";
};
close(POSTSUPER);
@tayab_khan
--------------------- chown 755 removemail
----------------------- ./removemail MAILER-DAEMON
Debian/CentOS postfix mail delete script
----------------------------
cat removemail
#!/usr/bin/perl
$REGEXP = shift || die "no email-adress given (regexp-style, e.g. bl.*\@yahoo.com)!";
@data = qx</usr/sbin/postqueue -p>;
for (@data) {
if (/^(\w+)(\*|\!)?\s/) {
$queue_id = $1;
}
if($queue_id) {
if (/$REGEXP/i) {
$Q{$queue_id} = 1;
$queue_id = "";
}
}
}
#open(POSTSUPER,"|cat") || die "couldn't open postsuper" ;
open(POSTSUPER,"|/usr/sbin/postsuper -d -") || die "couldn't open postsuper" ;
foreach (keys %Q) {
print POSTSUPER "$_\n";
};
close(POSTSUPER);
@tayab_khan
--------------------- chown 755 removemail
----------------------- ./removemail MAILER-DAEMON
Sunday, July 15, 2012
Mikrotik IPSec VPN (site to site )
Site to Site IpSec Tunnel
Consider setup as illustrated below
Two remote office routers are connected to internet and office workstations behind routers are NATed. Each office has its own local subnet, 10.1.202.0/24 for Office1 and 10.1.101.0/24 for Office2. Both remote offices needs secure tunnel to local networks behind routers.
IP Connectivity
On both routers ether1 is used as wan port and ether2 is used to connect workstations. Also NAT rules are set tu masquerade local networks.
Office1 router:
/ip address
add address=192.168.90.1/24 interface=ether1
add address=10.1.202.1/24 interface=ether2
/ip route
add gateway=192.168.90.254
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
Office2 router:
/ip address
add address=192.168.80.1/24 interface=ether1
add address=10.1.101.1/24 interface=ether2
/ip route
add gateway=192.168.80.254
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
IpSec Peer's config
Next step is to add peer's configuration. We need to specify peers address and port and pre-shared-key. Other parameters are left to default values.
Office1 router:
/ip ipsec peer
add address=192.168.80.1/32:500 auth-method=pre-shared-key secret="test"
Office2 router:
/ip ipsec peer
add address=192.168.90.1/32:500 auth-method=pre-shared-key secret="test"
Policy and proposal
It is important that proposed authentication and encryption algorithms match on both routers. In this example we can use predefined "default" proposal
[admin@MikroTik] /ip ipsec proposal> print
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
As we already have proposal as a next step we need correct IpSec policy. We want to encrypt traffic coming form 10.1.202.0/24 to 10.1.101.0/24 and vice versa.
Office1 router:
/ip ipsec policy
add src-address=10.1.202.0/24:any dst-address=10.1.101.0/24:any \
sa-src-address=192.168.90.1 sa-dst-address=192.168.80.1 \
tunnel=yes action=encrypt proposal=default
Office2 router:
/ip ipsec policy
add src-address=10.1.101.0/24:any dst-address=10.1.202.0/24:any \
sa-src-address=192.168.80.1 sa-dst-address=192.168.90.1 \
tunnel=yes action=encrypt proposal=default
Note that we configured tunnel mode instead of transport, as this is site to site encryption.
NAT Bypass
At this point if you will try to establish IpSec tunnel it will not work, packets will be rejected. This is because both routers have NAT rules that is changing source address after packet is encrypted. Remote router reiceves encrypted packet but is unable to decrypt it because source address do not match address specified in policy configuration.
To fix this we need to set up NAT bypass rule.
Office1 router:
/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=10.1.202.0/24 dst-address=10.1.101.0/24
Office2 router:
/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=10.1.101.0/24 dst-address=10.1.202.0/24
It is very important that bypass rule is placed at the top of all other NAT rules.
Consider setup as illustrated below
Two remote office routers are connected to internet and office workstations behind routers are NATed. Each office has its own local subnet, 10.1.202.0/24 for Office1 and 10.1.101.0/24 for Office2. Both remote offices needs secure tunnel to local networks behind routers.
IP Connectivity
On both routers ether1 is used as wan port and ether2 is used to connect workstations. Also NAT rules are set tu masquerade local networks.
Office1 router:
/ip address
add address=192.168.90.1/24 interface=ether1
add address=10.1.202.1/24 interface=ether2
/ip route
add gateway=192.168.90.254
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
Office2 router:
/ip address
add address=192.168.80.1/24 interface=ether1
add address=10.1.101.1/24 interface=ether2
/ip route
add gateway=192.168.80.254
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
IpSec Peer's config
Next step is to add peer's configuration. We need to specify peers address and port and pre-shared-key. Other parameters are left to default values.
Office1 router:
/ip ipsec peer
add address=192.168.80.1/32:500 auth-method=pre-shared-key secret="test"
Office2 router:
/ip ipsec peer
add address=192.168.90.1/32:500 auth-method=pre-shared-key secret="test"
Policy and proposal
It is important that proposed authentication and encryption algorithms match on both routers. In this example we can use predefined "default" proposal
[admin@MikroTik] /ip ipsec proposal> print
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
As we already have proposal as a next step we need correct IpSec policy. We want to encrypt traffic coming form 10.1.202.0/24 to 10.1.101.0/24 and vice versa.
Office1 router:
/ip ipsec policy
add src-address=10.1.202.0/24:any dst-address=10.1.101.0/24:any \
sa-src-address=192.168.90.1 sa-dst-address=192.168.80.1 \
tunnel=yes action=encrypt proposal=default
Office2 router:
/ip ipsec policy
add src-address=10.1.101.0/24:any dst-address=10.1.202.0/24:any \
sa-src-address=192.168.80.1 sa-dst-address=192.168.90.1 \
tunnel=yes action=encrypt proposal=default
Note that we configured tunnel mode instead of transport, as this is site to site encryption.
NAT Bypass
At this point if you will try to establish IpSec tunnel it will not work, packets will be rejected. This is because both routers have NAT rules that is changing source address after packet is encrypted. Remote router reiceves encrypted packet but is unable to decrypt it because source address do not match address specified in policy configuration.
To fix this we need to set up NAT bypass rule.
Office1 router:
/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=10.1.202.0/24 dst-address=10.1.101.0/24
Office2 router:
/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=10.1.101.0/24 dst-address=10.1.202.0/24
It is very important that bypass rule is placed at the top of all other NAT rules.
Unhide the Administrator Account in Windows XP
Unhide the Administrator Account in Windows XP
In every installation of Windows XP, there is a built-in and defaut administrator user account named Administrator, which is equivalent to super user or root in Unix system. However, if you have set up another user account in Windows XP, the Administrator account will be hidden, cloaked and invisible in User Accounts or Computer Management.
To see the Administrator account, you have to boot the Windows in Safe Mode. However, you can modify the Windows’s registry so that the Administrator account will be shown at Windows XP’s Welcome screen for you to select, in the Control Panel’s User Accounts and in the local user lists in Computer Management.
Launch Registry Editor.
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList in the Registry Editor.
Double-click the Administrator key in the right pane.
If the Administrator key doesn’t exist, right-click on the above tree in the pane, choose New, DWORD Value, name it Administrator and press .
Type 1 in the “Value data” box, and press .
Note: To launch User Accounts in Control Panel, you can go to Control Panel -> User Accounts, or click Start -> Run, and then type Control userpasswords and press Enter.
Once you unhide and reveal the Administrator account, you can change its picture or assign it a password or change the password. In addition, on the next boot to the Welcome screen, the Administrator account will be visible, along with all of the computer’s other user accounts.
In every installation of Windows XP, there is a built-in and defaut administrator user account named Administrator, which is equivalent to super user or root in Unix system. However, if you have set up another user account in Windows XP, the Administrator account will be hidden, cloaked and invisible in User Accounts or Computer Management.
To see the Administrator account, you have to boot the Windows in Safe Mode. However, you can modify the Windows’s registry so that the Administrator account will be shown at Windows XP’s Welcome screen for you to select, in the Control Panel’s User Accounts and in the local user lists in Computer Management.
Launch Registry Editor.
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList in the Registry Editor.
Double-click the Administrator key in the right pane.
If the Administrator key doesn’t exist, right-click on the above tree in the pane, choose New, DWORD Value, name it Administrator and press .
Type 1 in the “Value data” box, and press .
Note: To launch User Accounts in Control Panel, you can go to Control Panel -> User Accounts, or click Start -> Run, and then type Control userpasswords and press Enter.
Once you unhide and reveal the Administrator account, you can change its picture or assign it a password or change the password. In addition, on the next boot to the Welcome screen, the Administrator account will be visible, along with all of the computer’s other user accounts.
Windows 7/ XP/WLAN Laport make Access point
Windows 7/ XP/WLAN Laport make Access point
Just download connectify software and configure as a dhcp and wireless access point
http://www.connectify.me/
http://download.cnet.com/Connectify/3000-18508_4-75024171.html?part=dl-10061477&subj=dl&tag=button
Just Download and Install this software
Saturday, July 14, 2012
Basic Security Tips for Linux
Basic Security Tips for Linux
By Tayab Khan
-----------------------------------------------------------------------
Now, in the present world security is one of the main issues for all system. We can secure our system different ways. Here we will see some basic security parameters for Linux system.
1) Physical Access Protection: - Physical access protection means, to protect any system from an attacker with physical access. We can take some steps to make secure of our system-
i) BIOS Password restriction: - We can set a password in BIOS (Basic Input Output System) to protect our system from any unauthorized changes to the BIOS. Assigning BIOS password is important because it is the first step during system startup.
ii) Boot Loader password Protection / Authentications in single user mode: - Boot Loader allows for starting the execution of the kernel. We can set a password to the boot loader configuration to prevent users from modifying the boot parameters. Set a password for the GRUB boot loader which will prevent users from entering single user mode or changing settings at boot time. It will forces grub to ask for a password before making any changes or entering into single user mode.
iii) Configure Automatic logout after a period of inactivity in shell login.
iv) Screen Lock Configure for GUI User’s:- Graphical User Interface (GUI) screen can be lock to increase system security. In Linux system, GNOM desktop screen can be lock by choosing ‘Lock Screen’ from system menu.
v) Enable SELINUX for Better Security:- Security-Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. SELINUX can be used to protect against misconfigured or compromised programs. The SELinux Policy is the set of rules that guide the SELinux security engine. It defines types for file objects and domains for processes. It uses roles to limit the domains that can be entered, and has user identities to specify the roles that can be attained. That means, SELINUX enforces the idea that programs should be limited in what files they can access and what action they can take.
2) Security for Network Configuration:-
i) Configure Firewall and iptables: - We know, a firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. Configure firewall and iptables to allow access and block unnecessary ports and programs. So, we can easily configure /etc/sysconfig/iptables file to secure our Linux system. We can allow specific services or ports and also can block unnecessary ports by iptables to improve our system security. We can assign specific services to a specific user by editing hosts. allow and hosts. deny files. We have to force this part sincerely, because configuring Firewall properly is one of the most important part of system Security.
ii) Configure Syslogd and Monitor all important syslogs For System Security: - Syslogd is a very important monitoring tool and also a standard for forwarding log messages in an Internet Protocol (IP) computer network basically in Linux system. Syslogd logs all programs like (auth, authpriv, daemon, cron, ftp, lpr, kern, mail, news, syslog, user, uucp, local0, ... , local7 )and are assigned a priority/level (Emergency, Alert, Critical, Error, Warning, Notice, Info or Debug) by the sender of the message. We can easily configure syslog.conf file to monitor system’s ‘error messages’, system’s ‘mail messages’ and different ‘service messages’ etc. that will be helpful to identify the problems quickly and take a quick necessary steps for system security.
iii) SSH and Telnet restriction for secured network:- SSH and Telnet is very helpful for remote login in Linux system but we have to make sure that the services are configured in a secured way. For Network security we can stop ssh and telnet, if possible, otherwise restrict ssh login strictly from the file /etc/ssh/sshd_config. We can limit user’s ssh access, disable root login via ssh login and can change default ssh ports(22) for better security.
iv) Secure Configure of Network Devices and Server’s:- Network devices that are run in our system must have a secured configuration. Server’s that are run in our system such as DNS, Samba, SNMP, WEB, FTP, NFS etc. have to configure in a secured way. Linux servers must be configured properly for strong network security and also have to ensure its applications and services configured.
3) Restrict Accounts and access control:- To increase system security we must restrict all user accounts and control the access of individual users. Following steps are too much important for this type of security:-
i) Configure sudoers file and limit su access.
ii) Set password expiration for the accounts.
iii) Verify Permission on passwd, shadow and groups.
iv) Check permission of directories and files.
v) Ensure no accounts have empty password felds.
Finally
There are also various tools exists which can be effectively used to improve a system’s security and detection of unknown attack from hackers. Basically we can use ‘iptables’ for host-based firewalling, SELINUX for protection against misconfigured programs and logging(such as syslogd) for detection of problems for our Linux system.
By Tayab Khan
-----------------------------------------------------------------------
Now, in the present world security is one of the main issues for all system. We can secure our system different ways. Here we will see some basic security parameters for Linux system.
1) Physical Access Protection: - Physical access protection means, to protect any system from an attacker with physical access. We can take some steps to make secure of our system-
i) BIOS Password restriction: - We can set a password in BIOS (Basic Input Output System) to protect our system from any unauthorized changes to the BIOS. Assigning BIOS password is important because it is the first step during system startup.
ii) Boot Loader password Protection / Authentications in single user mode: - Boot Loader allows for starting the execution of the kernel. We can set a password to the boot loader configuration to prevent users from modifying the boot parameters. Set a password for the GRUB boot loader which will prevent users from entering single user mode or changing settings at boot time. It will forces grub to ask for a password before making any changes or entering into single user mode.
iii) Configure Automatic logout after a period of inactivity in shell login.
iv) Screen Lock Configure for GUI User’s:- Graphical User Interface (GUI) screen can be lock to increase system security. In Linux system, GNOM desktop screen can be lock by choosing ‘Lock Screen’ from system menu.
v) Enable SELINUX for Better Security:- Security-Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. SELINUX can be used to protect against misconfigured or compromised programs. The SELinux Policy is the set of rules that guide the SELinux security engine. It defines types for file objects and domains for processes. It uses roles to limit the domains that can be entered, and has user identities to specify the roles that can be attained. That means, SELINUX enforces the idea that programs should be limited in what files they can access and what action they can take.
2) Security for Network Configuration:-
i) Configure Firewall and iptables: - We know, a firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. Configure firewall and iptables to allow access and block unnecessary ports and programs. So, we can easily configure /etc/sysconfig/iptables file to secure our Linux system. We can allow specific services or ports and also can block unnecessary ports by iptables to improve our system security. We can assign specific services to a specific user by editing hosts. allow and hosts. deny files. We have to force this part sincerely, because configuring Firewall properly is one of the most important part of system Security.
ii) Configure Syslogd and Monitor all important syslogs For System Security: - Syslogd is a very important monitoring tool and also a standard for forwarding log messages in an Internet Protocol (IP) computer network basically in Linux system. Syslogd logs all programs like (auth, authpriv, daemon, cron, ftp, lpr, kern, mail, news, syslog, user, uucp, local0, ... , local7 )and are assigned a priority/level (Emergency, Alert, Critical, Error, Warning, Notice, Info or Debug) by the sender of the message. We can easily configure syslog.conf file to monitor system’s ‘error messages’, system’s ‘mail messages’ and different ‘service messages’ etc. that will be helpful to identify the problems quickly and take a quick necessary steps for system security.
iii) SSH and Telnet restriction for secured network:- SSH and Telnet is very helpful for remote login in Linux system but we have to make sure that the services are configured in a secured way. For Network security we can stop ssh and telnet, if possible, otherwise restrict ssh login strictly from the file /etc/ssh/sshd_config. We can limit user’s ssh access, disable root login via ssh login and can change default ssh ports(22) for better security.
iv) Secure Configure of Network Devices and Server’s:- Network devices that are run in our system must have a secured configuration. Server’s that are run in our system such as DNS, Samba, SNMP, WEB, FTP, NFS etc. have to configure in a secured way. Linux servers must be configured properly for strong network security and also have to ensure its applications and services configured.
3) Restrict Accounts and access control:- To increase system security we must restrict all user accounts and control the access of individual users. Following steps are too much important for this type of security:-
i) Configure sudoers file and limit su access.
ii) Set password expiration for the accounts.
iii) Verify Permission on passwd, shadow and groups.
iv) Check permission of directories and files.
v) Ensure no accounts have empty password felds.
Finally
There are also various tools exists which can be effectively used to improve a system’s security and detection of unknown attack from hackers. Basically we can use ‘iptables’ for host-based firewalling, SELINUX for protection against misconfigured programs and logging(such as syslogd) for detection of problems for our Linux system.
Cisco and Huawei Port Level Bandwidth Control
CISCO
===========
We will assign 1MB bandwidth in switch port 0/9. (unicast=bps)
switch_5#configure terminal
switch_5(config)#interface fastEthernet 0/9
switch_5(config-if)#
storm-control broadcast level bps 256k
storm-control multicast level bps 256k
storm-control unicast level bps 1.024m
Huawei
==========
[SW-2]interface Ethernet1/0/24
broadcast-suppression 10
port access vlan 24
loopback-detection enable
description Client-Name
line-rate inbound 2944
line-rate outbound 2944
For Huawei the value shoul be multiple of 64
===========
We will assign 1MB bandwidth in switch port 0/9. (unicast=bps)
switch_5#configure terminal
switch_5(config)#interface fastEthernet 0/9
switch_5(config-if)#
storm-control broadcast level bps 256k
storm-control multicast level bps 256k
storm-control unicast level bps 1.024m
Huawei
==========
[SW-2]interface Ethernet1/0/24
broadcast-suppression 10
port access vlan 24
loopback-detection enable
description Client-Name
line-rate inbound 2944
line-rate outbound 2944
For Huawei the value shoul be multiple of 64
Tayab Khan's Personal Profile
Tayab Khan
Sr. System and Network Consultant
(MCP,CCNA,CCNP,CCNSP,JNCIA,JNCIS-SEC,Msc in CSE)
9+ Year Experienced at System and Network . Expert in Routing , Switching and Security. All types of network and corporate network, system server MAIL,DNS,PORXY,WEB,SMS,SYSLOG,BWMGR,VPN,FTP,SS7,RADIUS,VMWARE and IT related LAN,MAN,WAN administrative support, maintenance works. Highly expert in Unix and all types of applications server management, monitoring and backup. Expert in CISCO, Huawei, Linksys, Airlive, Juniper devices. My regular cell no +8801914035805
Tayab Khan- System, Network and training Manager at Daffodil Online Ltd, Completed BSC in Computer Science and Engineering (CSE)& MS in Computer Science from Jahangirnagar University. His professional attachment was included as a Sr. System and Network Administrator at Grameen CyberNet and Information Services Network Ltd. During his profession period, he worked for various system and network related solutions with Bangladesh Army at Army Head Quarter, Bangladesh Air Force, and Bangladesh Police at Police Head Quarter, DB, SB, Different Embassies and well-known organizations.
Mr. Khan is strong in System security, Backup, routing, switching and Technical Solution with different vendors like CISCO, Huawei, Juniper, Mikrotik and Linux. Mr. Khan has successfully completed Cisco Certification such as CCNA, CCNP, Juniper Certifications such as JNCIA-JunOS, Juniper Networks Certified Security Specialist (JNCIS-SEC), Microsoft Certification MCP, UTM and Firewall with Cyberoam Certification CCNSP (Cyberoam Certified Network & Security Professional), Certified from Ministry of Youth & Sports, Completed Advance level certifications in Linux and Mikrotik. Mr. khan is a member of Member of Bangladesh Computer Society and also member of ISOC (Internet Society), Bangladesh Dhaka Chapter.
Subscribe to:
Posts (Atom)