Skip to main content

Posts

Showing posts from May, 2008

Welcome to the new home of www.joe-ma.co.za

Hi all I have moved all the content over to blogspot. in the hopes of adding more features and getting the access speed up. All the articles are here including the most popular ones like Cisco DynDNS config and Cisco Static DHCP. ALL of them are waiting for you folks to go check out. I hope these How-Tos are going to help you. Please check on the "Blog Archive" on the left side of the screen for all the articles, or check the Right side for the Labels. In the Label box you will see the tags like Cisco Dynamic DNS Rancid Tacacs+ FreeBSD etc. I will be moving the www.joe-ma.co.za domain over to blogspot in the next 2 months or so.

Configuring FreeBSD Postfix Mailscanner and Mailwatch

Configuring Mailscanner Mailwatch and Postfix for FreeBSD The Install guide is here I have split the install guide and the configuration guide as they are pretty involved and might cause confusion if they where put together. I will start off with the easier stuff like clamav and then move on to spamassassin and postfix and then finally to mailscanner and mailwatch. if you have not already read the Install Guide Which might be helpful to newcomers here is a summery of what has been installed. Apache and php - this is for the Mailwatch web frontend. Mysql - This is where mailscanner will log info and where your black and white lists will live. Mailwatch - Mailwatch is the web front end to help monitor and manage Mailscanner. Spamassassin - This is the system that checks the mail content looking for spam. Clamav - the Antivirus scanner that Mailscaner will use Mailscanner - The server that uses all of the above to keep your mail clean and spam free. Ok now that that is over: Confi...

FreeBSD, Postfix, Mailscanner and Mailwatch Installation

Installing postfix, mailscanner and mailwatch on FreeBSD I have setup a number of servers using mailscanner and postfix to do antispam and antivirus checking. This particular example will show you how to set the server up as a mail gateway. i.e. all inbound and outbound mail will go via this server. You can also use the server as a pop3/imap4 server and doing so, does make life a little easier as you don't have to worry about the transport and relay_hosts files. At a later stage I will show that info too..... when I get a chance. This my seem strange but as there is quite a bit involved in installing and configuring I am splitting this into two How-To's this one, The install How-To and the configuration How-To First off its probably best to start on a new install of FreeBSD. Once you have done the initial portsnap fetch and portsnap extract Right here we go. Two things you might want to do is force your NIC to 100MB full duplex and install lsof Type in ifconfig and check if the...

Logging to syslog-ng on FreeBSD

Logging Cisco devises to syslog on FreeBSD Overview What we are going to do here is get a FreeBSD server up and running with syslog-ng, so that we can log information from our Cisco devises to it. This How-To will be pretty detailed and we will be logging data from Cisco Routers Switches and Cisco PIX Firewalls. We are going to get the syslog-ng daemon to create the log files automatically and to log to a new file each day, with a date stamp in the file name. Installation This is probable the easiest part All you have to do is “cd /usr/ports/sysutils/syslog-ng” and run “make install clean” Now that the port is installed you can edit the syslog-ng startup script to change the following line from NO to YES : ${syslog_ng_enable:="NO"} : ${syslog_ng_enable:="YES"} also add syslog_ng_enable="YES" to your /etc/rc.conf file Save the file, then edit your /etc/rc.conf file and add syslog_ng_enable="YES" and also add syslogd_enable="NO" this wil...

Securing PHP4

There are many things to take into account when it comes to trying to secure anything not only PHP or Apache or Postfix or anything else 1. You and your users still need to be able to use it 2. The server can be as secure as possible but a few lines of bad code can really screw up your morning. There are a few things to keep in mind when configuring the php.ini file Firstly its probably not a bad idea to chroot your apache server, there are a few very good examples on how to do this on the web Just do a search in google or something in your php.ini file add the following safe_mode = On safe_mode_gid = Off expose_php = Off register_globals = Off display_errors = Off log_errors = On error_log = "filename" safe_mode = On By switching on the safe_mode, you have just made your server probably twice as secure as it was before. Safe mode will ensure that only the owner of the file or script is able to read or execute that file or script Here is an example -rw-rw-r-- 1 joeuser j...

Multiple IP addresses on FreeBSD on the same NIC

Sometimes you need more than one address aliased to a network interface on a server. for instance if you want to use ssl pages in apache each ssl certificate should have its own IP address and each VirtualHost that runs on port 443 should have a unique IP address. You can get around thins by changing the port from 443 to something like VirtualHost:4430 vhost info VirtualHost:4431 vhost info VirtualHost:4432 But you are not using default ports and it might be a problem out in the real world sure you could do the above in side your own network Anyway thats not what this is about this is to Alias other IP's to your NIC on your FreeBSD server all you have to do is edit the /etc/rc.conf file defaultrouter="10.10.10.1" hostname="mysrv.mydom.com" ifconfig_em0="inet 10.10.10.4 media 100baseTX mediaopt full-duplex netmask 255.255.255.0" ifconfig_em0_alias0="10.10.10.7 netmask 0xffffffff" ifconfig_em0_alias1="10.10.10.8 netmask 0xffffffff" if...

Securing Apache 1.3

Securing Apache 1.3 Overview There are many things to keep in mind when trying to secure anything, one of the most important is to make user that the system is usable and secure there is usually a bit of a trade off between security and usability. You could secure Apache by not allowing users to use any sort of scripts or only plain HTML pages but that’s not usually practical. In this article I am going to go over the basic things to keep in mind on how to secure Apache but I will not go into running it in a jailed root mode. There is however a great article on this over at SecurityFocus . Installation Firstly you will need to install Apache if you are using FreeBSD then simply go to your ports directory and run a make install clean /usr/ports/www/apache13 Or any of the other apache 1.3 ports that you might want to install Like apache13-modssl or apache13-ssl/ In the case of the SSL apache versions you would install as follows # make # make certificate ( this is so you can create a s...

Apache and Mod Security

Installing and configuring Mod Security ModSecurity is an open source application that acts as a web application firewall or an Intrusion Detection and Prevention system. It can but run as an Apache Module or as standalone. ModSecurity is able to increase web based application security from attacks. Installing ModSecurity This is simple just run a make install clean in FreeBSD's mod_sec port directory, if you are not running FreeBSD and need the source you can get it from the ModSecurity Site. Preparing the ModSecurity config file for use with Apache I have split my httpd.conf file up so I have a separate conf directory in /usr/local/etc/apache you can put your modsecurity.conf directly in that directory but for this example I am going to use /usr/local/etc/apache/conf # mkdir modsec-rules # vi modsecurity,conf AddHandler application/x-httpd-php .php SecAuditEngine RelevantOnly SecAuditLog /var/log/modsec/audit_log SecFilterScanPOST On SecFilterEngine On SecFilterDefaultAction ...

Static NAT and PAT (port forwarding)

Static NAT and PAT (port forwarding) NOTE: This particular config was done on a Cisco 877 ADSL / DSL router however its known to work on the Cisco 800 series routers in general including the Cisco 827 Cisco 837 Cisco 877W the Cisco 1720 Cisco 1721 Cisco 1750 series and the CIsco 1600 series Right so you have setup your Cisco DSL (or you only have one IP address from your ISP) and you have setup your DynDNS so that you can connect to the router. But now you what’s next? Well the usual next step, and probably the whole reason you did this in the first place is so that you can connect to the server from the outside world for a web server or a mail server. or some thing similar. The basic principal is that the connection is made in from the dialer interface (the external address) and passed to the internal address on a matching port. There is a limitation to this though, if you have two web servers both listing for traffic on port 80 but only one external address you are going to run into ...

Automatic Browser Configuration for Proxy Servers

In this How-To, we are going to cover the ability to automatically configure your browser to use a proxy. This should work fine with Mozilla FireFox, Internet Explorer and most other browsers, for Apple's Safari things are a little Different but I will cover that as best I can. There are a few ways of doing thins but the actual proxy.pac or wpad.dat files are the most important. So we will start there. Proxy Configuration Files PROXY.PAC and WPAD.DAT They are actually the same file so you can just Alias or symlink the two files. So that if you edit the one the other “file” will also be updated. (I don’t think you can do this in windows but I might be wrong its been a long time. In the Below Example we are going to tell the browser that if the domain we are going to matches a rule then go directly to the site, this is very useful for Internal sites like intranets that you don’t really need to cache. Then we will also tell the browser to go Direct for port 443 or https sites I doubt ...

Dynamic DNS on a Cisco ADSL Router

Any new Cisco ADSL router in the 800 series should support dynamic DNS updates to a DDNS provider like DynDNS.com This particular example is for a Cisco 877 ADSL router. NOTE: This particular config was done on a Cisco 877 ADSL / DSL router however its known to work on the Cisco 800 series DSL routers in general including the Cisco 827 Cisco 837 Cisco 877W as long as your Cisco IOS on the router supports the DDNS config You might want to check the Cisco ADSL config guide too . First off you are going to want to create an account with a DDNS Provider, this particular example uses DynDNS.org but others should work in the same way or at least in a similar way. In this example the dns name we want is mycisco.dyndns.org OK lets go Login to you router via console or telnet Go into Enable mode Then configure terminal (conf t) ip domain name dyndns.org ip name-server ip.ip.ip.ip ip name-server ip.ip.ip.ip ip ddns update method DynDNS HTTP add http://uname:passwd@members.dyndns.org/nic/u...

Cisco Static DHCP Configuration

Assigning STATIC IP addresses on a Cisco Router via DHCP Although it’s not something that is probably all that common, and it’s actually the first time I have had a need to use this on a router, I thought I would share this information with you anyway NOTE: This particular config was done on a Cisco 877 ADSL / DSL router however its known to work on the Cisco 800 series routers in general including the Cisco 827 Cisco 837 Cisco 877W the Cisco 1720 Cisco 1721 Cisco 1750 series and the CIsco 1600 series Normal DHCP config for a Cisco Router ip dhcp excluded-address 192.168.1.1 192.168.1.10 We are excluding anything in the range between 192.168.1.1 to 1.10 In this example our servers are in this range and we don’t want any conflicts, also the router is .1 ip dhcp pool POOL-NAME network 192.168.1.0 255.255.255.0 dns-server 192.168.1.7 192.168.1.8 default-router 192.168.1.1 lease 0 8 The pool name is exactly that a name it will mean more to you than to the router so make it something yo...

Tacacs+ Install and Config Guide

Tacacs+ Install and Config Guide What is TACACS As per wikipedia Terminal access controller access control system (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. Installing Tacacs on FreeBSD This guide is intended to be a basic implementation of TACACS+, so although there are may features I am just going to document what I generally use. Please note that tac_plus is also available from Shrubbery Networks if you would like to install and configure on another platform. You may also want to check out my Rancid How-To Once again its in your ports directory. cd to /usr/ports/net/tac_plus4/ run a "make install clean" Once installed vi /usr/local/etc/rc.d/tac_plus.sh Then Change the following line from NO to YES tac_plus_enable=$ Save the file, then vi /e...

Setting up and Installing Rancid on FreeBSD for Cisco Products

Setting up and Installing Rancid on FreeBSD for Cisco Products What is Rancid? Rancid is an application that monitors a devices configuration including software and hardware. The configuration is then stored in a Concurrent Version System or CVS. Most of the time it is used to back up router, switch and firewall configurations, as well as notify you when a configuration has changed, i.e a firewall rule or a routers IP address or access list change. here is an example of the output =================================================================== retrieving revision 1.29 diff -u -4 -r1.29 mpls-jhb-pe1 @@ -288,9 +288,9 @@ ! interface Serial0/0 description Link to Client X bandwidth 2048 - ip address 192.168.1.244 255.255.255.254 + ip address 192.168.1.234 255.255.255.254 ip route-cache flow ip tcp header-compression iphc-format ip tcp compression-connections 256 ! ip ospf message-digest-key 1 md5 the - symbol represents what was removed the + symbol represents what was added The abo...

Setting up a Cisco 800 series Router for ADSL

Setting up a Cisco 800 series Router for ADSL Not that the Average user would use a Cisco ADSL router, or if they do use a Cisco product it would probably be a Linksys router. Anyway here is the config with comments in between. all comments are in italics You might want to check out the Cisco DYNDNS configuration guide too NOTE: This particular config was done on a Cisco 877 ADSL / DSL router however its known to work on the Cisco 800 series DSL routers in general including the Cisco 827 Cisco 837 Cisco 877W This example is a basic setup for just access to the web you can enable PAT or Port Address Translation on the router to allow access from the outside to a server or something like that. Also this setup is for a Dynamic IP from the ISP you might also want to checko out the how to on setting up SSH login on the router no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname # your router name i.e. Bobs Router ! boot-st...