disable-ab2.fin |
Answer Book 2 |
disable-apache.fin |
|
disable-apache2.fin |
|
disable-appserv.fin |
Java App Server |
disable-asppp.fin |
Async PPP |
disable-autoinst.fin |
Disables SYS-UNCONFIG |
disable-automount.fin |
NFS Automouter |
disable-dhcpd.fin |
Disables DHCP server |
disable-directory.fin |
Sun One Directory Server LDAP |
disable-dmi.fin |
Desktop Management Interface lrc:/etc/rc3_d/S77dmi |
disable-dtlogin.fin |
Disabled CDE from starting |
disable-face-log.fin |
Removed write permission on log for SUNWfac - rarely used |
disable-ipv6.fin |
Disables IPV6 |
disable-IIim.fin |
Internet-Intranet Input Method - Asian input |
disable-kdc.fin |
Kerberos Key Server |
disable-keyserv-uid-nobody.fin |
disables User ID Nobody for secure RPC |
disable-ldap-client.fin |
Prevents LDAP Client from starting |
disable-lp.fin |
Stop Print Services |
disable-mipagent.fin |
Mobile IP |
disable-named.fin |
BIND DNS Server |
disable-nfs-client.fin |
|
disable-nfs-server.fin |
|
disable-nscd-caching.fin |
disable caching of passwords/groups & hosts |
disable-ppp.fin |
Sync PPP |
disable-preserve.fin |
Stops moving saved files - been edited |
disable-power-mgmt.fin |
|
disable-remote-root-login.fin |
|
disable-rhosts.fin |
Disable use of .rhosts changes PAM config |
disable-routing.fin |
Disables RDISC/RIP/Forwarding - routeadm |
disable-rpc.fin |
RPC - Also breaks NFS |
disable-samba.fin |
Disable from starting |
disable-sendmail.fin |
Disable sendmail accepting mail |
disable-slp.fin |
Disables Service Location Protocol RFC 2608 |
disable-sma.fin |
System Management Agent - NET-SNMP |
disable-smcwebserver.fin |
Solaris Management Console |
disable-snmp.fin |
SNMP |
disable-spc.fin |
Sun Soft print Client svc:/application/print/cleanup:default |
disable-ssh-root-login.fin |
Disables ROOT login via SSH |
disable-syslogd-listen.fin |
Disable SYSLOGD from accepting logs |
disable-system-accounts.fin |
remove smtp listen nobody4 |
disable-uucp.fin |
Disable Unix to Unix Copy |
disable-vold.fin |
VOLD = CDROM automount |
disable-xfs.fin |
X Font Server |
disable-xserver-listen.fin |
Disable X11 port 6000 |
enable-account-lockout.fin |
Enabling account lockout to lock user accounts with repeated |
enable-coreadm.fin |
Save cores |
enable-ftpaccess.fin |
Enable -a flag - FTPACCESS |
enable-ftp-syslog.fin |
Enable -l flag - SYSLOG |
enable-inetd-syslog.fin |
SYSLOG all connections to inetd services |
enable-ipfilter.fin |
Enable Firewall - rules /etc/ipf/ipf.conf |
enable-password-history.fin |
Remember previous passwords |
enable-priv-nfs-ports.fin |
Allow NFS access from port <1024 |
enable-process-accounting.fin |
Enable process accounting SUNWaccr |
enable-rfc1948.fin |
TCP Sequence Number - TCP_STRONG_ISS=2 |
enable-stack-protection.fin |
Kernel Level Stack Protection |
enable-tcpwrappers.fin |
create hosts.allow and hosts.deny SSHD may be too restrictive. |
install-at-allow.fin |
at.allow - restrict access to at command |
install-ftpusers.fin |
Add all users for ftpusers to denied access |
install-loginlog.fin |
Enable logging of failed login attempts - loginlog |
install-md5.fin |
Install MD5 on Solaris 8 and 9, Sol 10 use digest cmd |
install-nddconfig.fin |
Enable secure network settings |
install-newaliases.fin |
Creates correct aliases for Sendmail - minimal install |
install-sadmind-options.fin |
Sol 8 & 9 - Security level for sadmind service |
install-security-mode.fin |
Enable OBP Command security - need passwd |
install-shells.fin |
Add SHELLS |
install-sulog.fin |
Track SU use and attempted use |
print-rhosts.fin |
Finds .rhosts & hosts.equiv |
remove-unneeded-accounts.fin |
Removes unneeded accounts |
set-banner-dtlogin.fin |
adds banner to DTLOGIN |
set-banner-ftpd.fin |
|
set-banner-sendmail.fin |
|
set-banner-sshd.fin |
|
set-banner-telnetd.fin |
|
set-flexible-crypt.fin |
Enable stronger encryption of local passwords - md5 |
set-ftpd-umask.fin |
|
set-login-retries.fin |
Allow 3 attempts to login |
set-power-restrictions.fin |
Restrict access to power commands |
set-rmmount-nosuid.fin |
Disable mounting of SET-UID files of CDROMS |
set-root-group.fin |
Change root group to 0 |
set-strict-password-checks.fin |
Complex passwords for local users |
set-sys-suspend-restrictions.fin |
Restrict suspend function |
set-system-umask.fin |
Create umask 022 |
set-tmpfs-limit.fin |
Set to 512Mb |
set-user-password-reqs.fin |
Min Length, Expire etc.. |
set-user-umask.fin |
Profile /etc/skel .. |
update-at-deny.fin |
|
update-cron-allow.fin |
|
update-cron-deny.fin |
|
update-cron-log-size.fin |
CRON LOG set to 512K |
update-inetd-conf.fin |
JASS_SVCS_DISABLE Drivers/finish.init |
enable-bart.fin |
Sol10 only - Setup BART - basic audit reporting tool |
Tuesday, July 12, 2011
Sun Security Tool Kit - Finish Script Descriptions
Sun Security Tool Kit (SUNWjass) provides a Oracle Solaris OS Hardening driver (template). Behind this is a number of Finish scripts (.fin) which actually does the OS hardening. This a brief description of each one when the name isn't obvious..
Saturday, June 04, 2011
Windows - Must Install Open Source Utilities
Windows - Must Install Open Source Utilities
Name | Description | URL |
7Zip | Archive/Compression | |
Putty | The default SSH client | |
GIMP | Graphics | |
Wireshark | Network Sniffer/Analyser | |
WINscp | SCP/FTP client | |
UltraVNC | VNC Server/Client | |
FreeMind | Mind Mapper | |
Lanchy | Windows Quick Launcher | |
Greenshot | Screen Capture | |
VIM | VI Improved Editor | |
CCleaner | Remove cache and cookies | |
Notepad++ | Notepad replacement | |
NX Client | NoMachine Client | |
NMAP | Port Scanner Zenmap GUI | |
LibreOffice | Word processor, Spreadsheet | |
Putty Session Manager | Putty Quick Launcher - Hot Keys | |
VirtualBox | Desktop Virtualisation | |
Firefox 4 | Mozilla Browser | |
Google Chrome 11 | Google Browser | |
Drop Box | Cloud Storage |
Monday, January 03, 2011
2011 Todo List
Certifications
Veritas Storage Foundation HA re-certify for 5.1
RedHat RHCE
Translate Sun Microsystems certifications to Oracle Knowledge Zones
Courses
VMware 4.x Design Workshop (Required for Partner Enterprise Certification)
Learn
IBM Director for AIX and x86 world
Oracle VM Server (x86)
Cloud Deployment of Infrastucture and Services.
Solaris 11, been playing with OpenSolaris but need to get serious now.
WTL Internal,
Move vSphere 4.0 ESX hosts to 4.1 ESXi
Updated Firewall hardware.
Veritas Storage Foundation HA re-certify for 5.1
RedHat RHCE
Translate Sun Microsystems certifications to Oracle Knowledge Zones
Courses
VMware 4.x Design Workshop (Required for Partner Enterprise Certification)
Learn
IBM Director for AIX and x86 world
Oracle VM Server (x86)
Cloud Deployment of Infrastucture and Services.
Solaris 11, been playing with OpenSolaris but need to get serious now.
WTL Internal,
Move vSphere 4.0 ESX hosts to 4.1 ESXi
Updated Firewall hardware.
Friday, December 24, 2010
An Ode to a putty and screen. Also keeping green
I love the simple things in life, especially those that make life simple.
I was requested to build two Solaris 10 servers remotely, Setup SUNWjet & template (very straight forward these days)
One putty session over VPN, loaded with screen utility with named split screens.
I didn't use any carbon travelling to site, but shouldn't I get some bonus points for low bandwidth as well!!
Screen Options
^AA = to name a session
^As = Split screen
^ATAB = Switch split screen
Putty Setting's, SSH2, Compression and Blowfish encryption.
I was requested to build two Solaris 10 servers remotely, Setup SUNWjet & template (very straight forward these days)
One putty session over VPN, loaded with screen utility with named split screens.
I didn't use any carbon travelling to site, but shouldn't I get some bonus points for low bandwidth as well!!
Screen Options
^AA = to name a session
^As = Split screen
^ATAB
Putty Setting's, SSH2, Compression and Blowfish encryption.
Wednesday, September 15, 2010
OpenIndiana - First install
Can you use Solaris wanboot to boot a system into single user mode?
Can you use Solaris wanboot to boot a system into single user mode?
Google or Sun Docs didn't have the definitive answer for me.
Answer is YES
T5240, No Keyboard
Copyright 2010 Sun Microsystems, Inc. All rights reserved.
OpenBoot 4.30.7, 8192 MB memory available, Serial #xxxxxx.
Ethernet address 0:ff:ff:ff:f:ff, Host ID: 8xxxxxx.
{0} ok
{0} ok setenv network-boot-arguments host-ip=10.1.1.1,router-ip=10.1.1.254,subnet-mask=255.255.255.0,hostname=hostname-gd,file=http://172.16.1.1:80/cgi-bin/wanboot-cgi
network-boot-arguments = host-ip=10.1.1.1,router-ip=10.1.1.254,subnet-mask=255.255.255.0,hostname=hostname-gd,file=http://172.16.1.1:80/cgi-bin/wanboot-cgi
{0} ok boot net -s
Boot device: /virtual-devices@100/channel-devices@200/network@0 File and args: -s
Wed Sep 15 14:04:06 wanboot info: WAN boot messages->172.16.1.1:80
SunOS Release 5.10 Version Generic_141444-09 64-bit
Copyright 1983-2009 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
Booting to milestone "milestone/single-user:default".
Configuring devices.
Network interface was configured manually.
10.1.1.1
Requesting System Maintenance Mode
SINGLE USER MODE
# ls /dev/dsk
c0d0s0 c0d0s1 c0d0s2 c0d0s3 c0d0s4 c0d0s5 c0d0s6 c0d0s7
# mount /dev/dsk/c0d0s0 /a
# ls /a
bin etc lost+found proc tmp
boot export mnt root usr
dev kernel opt sbin var
devices lib platform system
Google or Sun Docs didn't have the definitive answer for me.
Answer is YES
T5240, No Keyboard
Copyright 2010 Sun Microsystems, Inc. All rights reserved.
OpenBoot 4.30.7, 8192 MB memory available, Serial #xxxxxx.
Ethernet address 0:ff:ff:ff:f:ff, Host ID: 8xxxxxx.
{0} ok
{0} ok setenv network-boot-arguments host-ip=10.1.1.1,router-ip=10.1.1.254,subnet-mask=255.255.255.0,hostname=hostname-gd,file=http://172.16.1.1:80/cgi-bin/wanboot-cgi
network-boot-arguments = host-ip=10.1.1.1,router-ip=10.1.1.254,subnet-mask=255.255.255.0,hostname=hostname-gd,file=http://172.16.1.1:80/cgi-bin/wanboot-cgi
{0} ok boot net -s
Boot device: /virtual-devices@100/channel-devices@200/network@0 File and args: -s
Wed Sep 15 14:04:06 wanboot info: WAN boot messages->172.16.1.1:80
SunOS Release 5.10 Version Generic_141444-09 64-bit
Copyright 1983-2009 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
Booting to milestone "milestone/single-user:default".
Configuring devices.
Network interface was configured manually.
10.1.1.1
Requesting System Maintenance Mode
SINGLE USER MODE
# ls /dev/dsk
c0d0s0 c0d0s1 c0d0s2 c0d0s3 c0d0s4 c0d0s5 c0d0s6 c0d0s7
# mount /dev/dsk/c0d0s0 /a
# ls /a
bin etc lost+found proc tmp
boot export mnt root usr
dev kernel opt sbin var
devices lib platform system
Sunday, July 11, 2010
Reduce Swap in Red Hat 5
Red Hat recommended SWAP to be no larger than 4Gb,
1) Show current swap
swapon -s
2) Unmount Swap
swapoff /dev/mapper/VolGroup00-LogVol01
3) Reduce from 54Gb to 4Gb (Each LV Extent is 32Mb)
lvreduce -l -1600 /dev/VolGroup00/LogVol01
4) Reformat swap
mkswap /dev/VolGroup00/LogVol01
5) Mount swap as defined in /etc/fstab
swapon -a
1) Show current swap
swapon -s
2) Unmount Swap
swapoff /dev/mapper/VolGroup00-LogVol01
3) Reduce from 54Gb to 4Gb (Each LV Extent is 32Mb)
lvreduce -l -1600 /dev/VolGroup00/LogVol01
4) Reformat swap
mkswap /dev/VolGroup00/LogVol01
5) Mount swap as defined in /etc/fstab
swapon -a
Saturday, February 20, 2010
VMware vMA - UK setup
VMware's vMA is an execllet tool for managing ESXi environments and comes as a pre-built Virtual machine (Appliance).
My method of setting it up for the UK, thus my cronjobs run in GMT/BST.
Setup Authentification to vCenter/ESX hosts
Update vMA
Setup SSH Keys
Set Time and local
My method of setting it up for the UK, thus my cronjobs run in GMT/BST.
Setup Authentification to vCenter/ESX hosts
sudo vifp addserver <192.168.10.90> vifp listservers vifpinit Test it works vicfg-nics -l --vihost
Update vMA
$ sudo vi /etc/vmware/esxupdate/vimaupdate.conf proxy = http://proxyport = $ sudo vima-update scan $ sudo vima-update update
Setup SSH Keys
$ mkdir ~/.ssh $ vi ~/.ssh/authorized_keys2 $ chmod 700 ~/.ssh/authorized_keys2
Set Time and local
$ sudo mv /etc/localtime /etc/localtime.org
$ sudo ln -s /usr/share/zoneinfo/Europe/London /etc/localtime
$ sudo vi /etc/sysconfig/keyboard
KEYTABLE="uk"
$ sudo vi /boot/grub/menu.1st
title Red Hat Enterprise Linux Server (2.6.18-164.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-164.el5 ro root=/dev/VolGroup00/root quiet notsc divider=10
initrd /initrd-2.6.18-164.el5.img $ sudo vi /etc/ntp.conf comment out lines #server 127.127.1.0 #fudge 127.127.1.0 stratum 10 add lines server <1st NTPSERVER FQDN/IP> server <2nd NTPSERVER FQDN/IP>
$ sudo vi /etc/ntp/step-tickers <1st NTPSERVER FQDN/IP> <2nd NTPSERVER FQDN/IP>
Scheduled network capture on Windows using Wireshark (tshark.exe)
A customer had an iSCSI issue and was required to capture network packets at a specific time on a Windows 2008 server.
I came up with simple method using Wireshark's tshark.exe and Windows scheduler "AT".
at
type c:\capture.bat
rem Capture WireShark example
rem Andy Paton
rem WTL
rem use AT to run batch
rem example at 01:50 cmd /c c:\capture.bat
rem debug at issues
rem example at 09:50 /interactive cmd /k c:\capture.bat
rem -a duration:1200 in seconds
rem -B Buffer Size - default is 1Mb
rem -i Interface number - use "tshark.exe -D" to list interface numbers
rem -n don't resolve IP addresses
rem -q Quiet output
rem -w output file
rem capture filter "host"
c:\"Program Files"\Wireshark\tshark -a duration:1200 -B 2 -i 4 -n -q -w c:\network.out host 192.168.1.1
I came up with simple method using Wireshark's tshark.exe and Windows scheduler "AT".
at
type c:\capture.bat
rem Capture WireShark example
rem Andy Paton
rem WTL
rem use AT to run batch
rem example at 01:50 cmd /c c:\capture.bat
rem debug at issues
rem example at 09:50 /interactive cmd /k c:\capture.bat
rem -a duration:1200 in seconds
rem -B Buffer Size - default is 1Mb
rem -i Interface number - use "tshark.exe -D" to list interface numbers
rem -n don't resolve IP addresses
rem -q Quiet output
rem -w output file
rem capture filter "host
c:\"Program Files"\Wireshark\tshark -a duration:1200 -B 2 -i 4 -n -q -w c:\network.out host 192.168.1.1
Subscribe to:
Posts (Atom)
