RSC Wales are now able to offer scheduled external penetration testing service to our supported learning providers.

The external penetration testing service can be used to provide a detailed report of your Internet facing systems and services. This report is generated by scanning the external IP addresses and hostnames used by the organistation, the scans are scheduled to occur once a month.

For each system identified a list of any issues with Internet facing services running on the system are identified. Information is then provided in relation to any known security issues, with information on how to further investigate or to resolve these issues. Where are an organisation requires further support, RSC Wales are then able to further guidance and advise.

How to register

To register for this service, you will need to provide us with the following information via e-mail to pentest@rsc-wales.ac.uk

1. A list of target IP address and hostnames

2. An e-mail address (or addresses) to send the report to.

3. A name for the scan

Further details

The penetration testing service is provided using the Open Source scanner – OpenVAS, and as such we are restricted by the rate at which the OpenVAS software is developed. If you find these reports useful then please consider contributing to the OpenVAS project.

The reports provided will give you an external view of your network in relation to other hosts on the Internet. The scan performed can be affected by security devices such as Firewalls, especially those performing deep packet analysis or rate limiting. If in doubt about a particular system we would recommend using a copy of OpenVAS or the commercial version of Nessus against the system from within the same logical network. You should cross reference that report against any Firewall rules and/or the results of an external port scan.

As the scan commences you will receive an e-mail advising you that the scan has started. This is so that you can be more vigilant of system problems whilst the scan is running. In some cases the scans can (or can appear to) perform a Denial of Service attempt as it tests a particular service for a vulnerability or as the scan places strain on devices performing network security such as Firewalls, Routers with Access-lists or packet inspecting device. In our testing these issues are rare.

Finally RSC Wales accept no responsibility for any issues caused by the scan, or for the validity or integrity of the report. The service is only provided to raise awareness of the security of Internet facing systems.

I’m a big fan of the Cacti – the monitoring tool, although I’ve a small number of the plants too!  One of it’s limitations, is that it works on a 1 or 5 minute poller interval, so you get very rounded figures and no sign of the short bursts of traffic, CPU or anything else you happen to be monitoring.

As my colleague Hefin has pointed out here, you can use a tool called “SNMP Traffic Grapher”.   However, it’s not something you can use from anywhere, you would in most cases need to be at your desk and on a trusted machine that has SNMP access to the devices concerned.  One of good things about Cacti is that you can (if you want to) use it from anywhere!

So I am pleased to have discovered that there is now a solution for Cacti.  It’s called the Realtime Plugin and you need to have something called the Plugin Architecture (PA) installed first.    You probably have PA already if you have the Threshold, Monitor or Weathermap plugins installed.

It can be a bit of bind having to install PA and the plugins, but I’m hoping this will get easier in the future, as according to the Cacti Roadmap PA will be included in the next point release.   If you are using the latest CactiEZ you already have everything I’ve mentioned installed!

Back to the Realtime Plugin – Once it’s installed here’s what it looks like;

It’s available by using the line graph icon by the side of your Cacti graphs

CactiEZ, Plugin Architecture and the Realtime Plugin can be downloaded from CactiUsers.org

Cacti is available from cacti.net

If not then you can download all of this from CactiUsers.org

This an update to the advise given at the ITSYSMAN meeting in October.

A few considerations if your deploying a Shibboleth entity (Identify or Service Provider) within the next few months.

Forget about Shibboleth 1.3

It goes end of life in June 2010, concentrate your efforts on Shibboleth 2.0.  For those with existing Shib 1.3 installs, then you need to start looking at upgrading your installation.

SSL Certificates for Shibboleth

Important Update – as a result an announcement from JANET (see this comment )- As a result you could apply for a JANET SCS Cert between now and 11th December 2009, and it will still be valid for it’s full term.  However, the following will advise is valid should you ever need to change your certificate, and the advise regarding Self-signed certificates still stands.

Due to the changes in the JANET SCS, then it could be worth hanging back on “go live” with your Shibboleth install until you can get the new certificates (probably from January 2010).

You could go live with an existing JANET SCS cert, but you will need to change it before 6th April 2010 (when all the existing JANET SCS certifcate expire).  The complexity of the change will depend whether you just use the certificate for the webserver (Tomcat, Apache or IIS) – which should be fairly simple.  But if you use the certificate with Shibboleth itself then this could cause some unavailablity of your Shibboleth IdP; whilst the federation metadata is updated and then whilst the service providers obtain that update.

That leads me onto the next piece of advise, which was recommended to those of us on the JANET Shibboleth courses in Llandindod Wells, by the trainer Rhys Smith from Cardiff University.  For you Shibboleth configuration you should use self-signed certificates which should be signed for an extended period (e.g. 10 years)

My advise on self-signed certificates is one make some very careful notes of the process (and the passphrase).  Ensuring that the certificates are fully backed up – including backing up the private key file BEFORE signing the certificate request.

You should continue to use the JANET SCS or similar certificates on the webservers concerned (unless you want your users to get some error messages!).

A few weeks ago we couldn’t get Second Life Voice Chat working via some ACL’s on a Cisco router.

All the documentation on the web suggests that the only way to do this is to use reflexive ACL’s.  However, as we are using some quite lengthy extended ACL’s , then it wasn’t going to be easy to change those to reflexive  ACL’s.

So why would you need to use these Reflexive ACLs? – well it’s all to do with state or connection tracking, with extended ACL’s you can do TCP state or connection tracking using a rule that accommodates for any return traffic in relation to a connection.  Something like this one..

access-list 110 permit tcp any any established

Unfortunately extended ACL’s don’t allow you to do this for UDP, and as Second Life Voice Chat uses the SIP protocol then its difficult without this.  The server seems to be hosted by a provdier called Vivox, who also provide similar services for some online games like Eve Online, this was useful as documentation seemed to be better than for Second Life.  Finally I managed to find the IP Ranges used for Vixox on this page.

The IP ranges are;

• 64.34.14.0/24
• 70.42.62.0/24
• 74.201.98.0/23
• 64.127.112.104/29
• 64.127.123.192/26
• 64.147.162.0/26
• 64.147.180.128/27

The next step for me was to isolate a PC, on an isolated segment of network, that we knew could run Second Life Voice Chat fine with no ACL’s in place (or with Reflexive ACL’s in place), and then to monitor the traffic using something like Wireshark or tcpdump.  Logging dropped packets on the Cisco router was also very useful,  finally after a lot of testing I came up with some working Access-list rules.

The solution is not particularly elegant, and is a compromise between security and usability.  The access-list rules assume that you have already granted (whether locally or via other rules) the neccessary access for machines to connect to the Internet (e.g HTTP, HTTPS, NTP and DNS) and that the access-list has a TCP established line and ends with a default deny line.

Inbound

access-list 101 permit udp 64.34.14.0 0.0.0.255 eq 3478 any range 1024 65535
access-list 101 permit udp 70.42.62.0 0.0.0.255 eq 3478 any range 1024 65535
access-list 101 permit udp 74.201.98.0 0.0.1.255 eq 3478 any range 1024 65535
access-list 101 permit udp 64.127.112.104 0.0.0.7 eq 3478 any range 1024 65535
access-list 101 permit udp 64.127.123.192 0.0.0.63 eq 3478 any range 1024 65535
access-list 101 permit udp 64.127.162.0 0.0.0.63 eq 3478 any range 1024 65535
access-list 101 permit udp 64.147.180.128 0.0.0.31 eq 3478 any range 1024 65535
access-list 101 permit udp 64.34.14.0 0.0.0.255 eq 5062 any range 1024 65535
access-list 101 permit udp 70.42.62.0 0.0.0.255 eq 5062 any range 1024 65535
access-list 101 permit udp 74.201.98.0 0.0.1.255 eq 5062 any range 1024 65535
access-list 101 permit udp 64.127.112.104 0.0.0.7 eq 5062 any range 1024 65535
access-list 101 permit udp 64.127.123.192 0.0.0.63 eq 5062 any range 1024 65535
access-list 101 permit udp 64.127.162.0 0.0.0.63 eq 5062 any range 1024 65535
access-list 101 permit udp 64.147.180.128 0.0.0.31 eq 5062 any range 1024 65535
access-list 101 permit udp 64.34.14.0 0.0.0.255 range 12000 16000 any range 1024 65535
access-list 101 permit udp 70.42.62.0 0.0.0.255 range 12000 16000 any range 1024 65535
access-list 101 permit udp 74.201.98.0 0.0.1.255 range 12000 16000 any range 1024 65535
access-list 101 permit udp 64.127.112.104 0.0.0.7 range 12000 16000 any range 1024 65535
access-list 101 permit udp 64.127.123.192 0.0.0.63 range 12000 16000 any range 1024 65535
access-list 101 permit udp 64.127.162.0 0.0.0.63 range 12000 16000 any range 1024 65535
access-list 101 permit udp 64.147.180.128 0.0.0.31 range 12000 16000 any range 1024 65535
access-list 101 permit udp any eq 12035 any

Outbound

access-list 110 permit udp any any eq 5060
access-list 110 permit udp any any eq 5062
access-list 110 permit udp any any eq 3478
access-list 110 permit udp any any range 12000 16000
access-list 110 permit tcp any any eq 21002
access-list 110 permit tcp any any eq 12043
access-list 110 permit tcp any any eq 12035
access-list 110 permit tcp any any eq 12036

This seems to have caught me out a few times recently… The binary logs MySQL generates can be huge, particularly with databases that constantly change, and the default configuration (in Gentoo at least) fails to rotate or expire these logs.

In Gentoo they are stored in /var/lib/mysql, with names like mysqld-bin-000001.  In a few instances they have grown to several Gigabytes, which on systems where disk space is at a premium (or where disks have been made deliberately small in Virtual Machines) this has causes some systems to unexpectedly run out of disk space.

MySQL Binary Logs are needed for things like replication between MySQL servers (which I suspect many people don’t use) and for the repair of databases.  So realistically the most you should need is a few days of these logs, so enough to maybe use your latest backup and use the binary logs to process the transactions that have occured since then?

The answer to the problem is to put a sensible line like “expire_logs_days = 7″ in the [mysqld] section of your MySQL my.cnf file (It’s /etc/mysql/my.cnf in Gentoo) .

If the MySQL Binary Logs have consumed all the disk space and you can’t get MySQL restarted then you can pick of some of the older (lower numbered) mysqld-bin.* files out and then restart MySQL.

Update: recently had this issue again – you may need to update mysqld-bin.index (delete the lines refering to the files you’ve deleted) before MySQL will restart successfully.

At the end of March, I along with a number of techies, attended the Netskills Federation Access Management Training course at Aberystwyth University.  Having had a go at setting up a Shibboleth in the past against the testshib.org federation and being a bit of a Linux geek.. I wasn’t going to take long to get there, so I thought I would very quickly share my experiences..  I’m not going to through any of the red tape stuff …… so to get to this stage you will need to have registered with the federation, registered an IdP and obtained the relevant SSL certificate.

With my red tape cut… I followed these and these instructions very loosely, set about installing the require packages on Gentoo Linux, these required packages were apache and tomcat, so I needed some reasonably sane global USE flags in /etc/make.conf …

USE="tokenizer curl zip bzip2 gd ldap mysql apache2 php xml xpat xpat2 -X -kde -gnome"

There are a few unrequired flags on my “idp” Virtual machine, but this because I used a template that I usually deploy for Apache/MySQL/PHP applications, so it wasn’t quite as clean as I would like. You definately need the ldap flag and the “-” ones, some of the rest can probably go.

I also had some less sane options for APACHE2_MODULES again in /etc/make.conf

APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias"

Looking at this, you definitely need the alias, proxy related, rewrite, and include, but I’m sure that a large number of the others could go.  I also had a package USE flag in /etc/portage/package.use

www-servers/tomcat examples

So that your /jsp-examples/ test works…

So at this point you can probably run the command

emerge tomcat apache

I also needed to modify /etc/conf.d/apache2 so that ldap support was turned on, the important line being APACHE2_OPTS

APACHE2_OPTS="-D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -D PROXY -D LDAP -D AUTHNZ_LDAP"

After that then it was just a case of getting Shibboleth installed from it’s tar ball, I chose to install it into /opt/shibboleth-idp

I then had to copy the  .jar files from /opt/shibboleth-idp/endorsed into /var/lib/tomcat/common/endorsed, and then that was more or less a working shib just the actual configuration to go…

I won’t give the idp.xml as this guide on the UK Federation site is more than sufficient.

I have however attached some of my other config files (they had all sensitive info search and replaced)

resolver.xml – which is the bit that does all the hard work mapping eduPerson Attributes to your directory.  I took the bit for eduPersonAffiliation almost directly from a posting by Michael White (University of Sterling’s)  to the JISC-SHIBBOLETH JISCmail list.  You can probably find this info here or by using the JISCmail Archives.  I also managed to gain a copy of Swansea University’s resolver.xml file from Alex, who looks after the University’s Shibboleth IdP’s, which was very useful to compare against and get me started.

When I was checking some of the LDAP related syntax, I  stumbled across this a Sample Guide to Configuration Files by Chris Simpson at Swansea College, which I found very useful.

arp.site.xml- this is the Attribute Release Policy, this one is really insecure as it releases loads of info to everyone, but this will be useful for testing and creating your own more secure policy.  Sorry to the RSC team who’s details will be released to the resource if they ever  choose “JISC RSC Wales” from a UK Federation page…

shib-apache.conf- this is basically all the lines I needed to add to Apache to act as a proxy, so that we can gain access to tomcat via /shibboleth-idp and so that users are authenticated against Active Directory via LDAP.

Now time keeping, if you install on VMware then remember to install the VMware tools and make sure that they are working/running, and that the Physical Host is synchronised with a time server.  If installing on a physical box remember to install NTP!  If you notice that everything seems to work, and you then get “Session Error” double check the time is correct on the IdP server.

That’s it for now, if your deploying Shibboleth then let me know how your getting on…. In the meantime I’ll try and get some sensible instructions written up, and maybe even a Virtual Appliance..!

Next big step will be to get Shibboleth Service Provider working with Moodle.

A few months ago I spent a little bit of time setting up iFolder.  Primarily to deal with the teams requirements for backed up File Storage – many of the RSC Wales team are laptop users.  With many solutions there is the struggle of remembering to upload files and remembering which computer you saved that particular file on.  The beauty of iFolder is that it’s client  synchronises your files with your iFolder server, and therefore all your other computers.

So once I had installed the client on my work PC (Linux), Laptop (Vista) and Home PC (XP).  I could simply save my files in one of my designated “iFolders” and it would auto synchronise them.  You also don’t need to have all folders synchronised on all PC’s, and you can still upload and download files via the web interface provided e.g. if your using someone elses computer.

iFolder is a Novell product (part of Open Enterprise Server 2.0) but is also available as Open Source from http://www.ifolder.com.  We’ve been running  iFolder 3.6 for about 6 months, but it was difficult to find the very latest packages for, and there were some issues with using the client on Windows Vista.  With iFolder 3.6 having been released some 12 months before, and a general lack of activity on the iFolder site, I was rather concerned that if I wanted to upgrade I would need to move to OES2.0 and potentially pay for the privilege (I say potentially because Swansea University are covered under a Novell site license).

The excellent news is that Novell have recently announced that iFolder 3.7 has been released as OpenSource and is now available at http://www.ifolder.com (which has been redesigned).  I shall definitely be trying this one out and probably upgrading our system to 3.7 as a result, so watch this space…

For anyone who’s used MRTG and found it a little cumbersome to configure, then Cacti solves that for you.  It’s a definate first step to monitoring your network and systems, and once you start adding the plugin architecture and plugins, then it’s the next few steps as well.

The quickest and easiest way to get a copy of Cacti ready is using the CactiEZ  from Cactiusers.org . The CD has the most useful plugins installed and configured and will install straight onto a PC (warning it will erase all data, so make sure thats definately a spare PC).

I’ve also had CactiEZ running in VMware although I recommended this only for testing, as if you start using the Threshold plugin you will want Cacti to be your eyes and ears, so a physical server near the centre of your network is probably the best place.  If your really get into Cacti then you probably want to build your own server to run it on, so that you can manage updates to the server’s core components Apache, PHP, MySQL and NET-SNMP.

One final note is that the CactiEZ uses a 1 minute poll interval, and the default Cacti install uses a 5 minute poll interval.  Watch out for that one, as it may mean that some templates that you download will need a slight modification using the CDEF function.

Otherwise it’s definately go Cacti.  I’ve been using it for 4 years, and in that time have monitored Cisco, 3com, Linux, Windows, VMware ESX and a whole host of other devices.  If any of our supported learning providers need some further advise on monitoring their networks/systems you know where Hefin and I are….. Big clue?

I seem to be getting a bit of regular grief.  After updating VMware VirtualCenter I find that after a reboot it is no longer running and I have to go in and manually start the service.

Why? – well it’s because I’m using SQL Express so when VirtualCenter tries to start it can’t find the SQL server and therefore fails.

The little hack I’m using to fix this, is to go into the Registry Editor and under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vpxd add MSSQL$SQLEXP_VIM to the DependOnService list.

Fortunately as VirtualCenter is just a management platform it doesn’t affect my running Virtual Machines/Servers.

I suppose I had better make my next “technical” post about something other than VMware!

We are in the process of trying to determine what technical training courses we should arrange to take place in Wales in the coming months.  If those from our supported learning providers would like to register their interest or suggest some possible courses we could run, then please use the following Google docs form.

We would also welcome any interest from others in the Welsh public sector.