Charles Gardner’s Effective IT Blog

So, I turned off the default “allow all to anywhere” LAN rule on my office firewall this afternoon and then created individual rules for the required/applicable ports and protocols. So far, it works great.

This is a good test of the Outbound traffic restrictions mentioned in the PCI DSS. Once I get everything “nailed down”, I should be able to translate what I’ve done here to the “live” cardholder data environment.

Here’s what I have so far:

• 22 TCP
• 53 TCP/UDP
• 80 TCP
• 123 TCP/UDP
• 443 TCP
• GRE
• 1723 TCP
• 3389 TCP
• Block and Log everything else

With the last rule of Block and Log everything, it’s pretty cool to see what’s going on on my LAN segment!

Firewalls, PCI, pfSense

I got my laptop running with monitor mode support for my Intel 3945 under Gentoo. Now, I’d like to look into Kismet. Here’s how it went down:

• emerge kismet
• Edit /etc/kismet.conf
• suiduser=xxxxxx
• source=ipw3945,eth1,kismet
• gps=false
• Start kismet and it looks to run

Right now I don’t have any other wireless clients up and running, so I’ll have to wait till tomorrow to actually watch some running traffic. This looks like a good start so far though.

Gentoo, Kismet, Wifi

Evidently there is a difference in regards to certificates between IIS 6.0 and IIS 5.0. I have previously used madboa’s SSL HOWTO to generate, sign and export PEM certificates to the PFX format that IIS expects. However, today, I tried using the same procedure with an older Windows 2000/ IIS 5.0 server and repeatedly got the same “import password is incorrect or the certificate has expired” message.

After some searching and learning that few people have had success with IIS 5.0, I came across a post from dejavu.mu.nu detailing exactly how to create a certificate that would work with IIS 5.0.

Loving the fact that I can push something Open Source onto a Windows platform!

IIS, OpenSSL

I love good coffee, and this just about says it all: UserFriendly coffee.

Coffee

Just noticed this posting at ISC about DNS issues. It has two good links at the bottom to the NIST doc on implementing secure DNS and a secure BIND template.

I really need to review existing DNS infrastructure for an exact picture of where we are.

Also take note of DNS for Rocket Scientists and this PDF from CERT (even though its a few years old now).

DNS

OK, back at it again. Got sendmail and mimedefang installed.

Notes:

• Gotta copy /usr/local/etc/rc.d/mimedefang.sh-dist to /usr/local/etc/rc.d/mimedefang.sh
• Generate a new sendmail.cf
• Go to /etc/mail
• Issue a ‘make’
• Edit hostname.mc file

divert(-1)
#
# The best documentation for this .mc file is:
# /usr/share/sendmail/cf/README or
# /usr/src/contrib/sendmail/cf/README
#

divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.30.2.2 2006/08/23 03:31:00 gshapiro Exp $’)
OSTYPE(freebsd6)
DOMAIN(generic)

define(`confCW_FILE’, `-o /etc/mail/local-host-names’)
define(`confBIND_OPTS’, `WorkAroundBrokenAAAA’)
define(`confNO_RCPT_ACTION’, `add-to-undisclosed’)
define(`confPRIVACY_FLAGS’, `authwarnings,noexpn,novrfy’)

define(`confMAX_HEADERS_LENGTH’, `32768′)dnl
define(`confBAD_RCPT_THROTTLE’, `3′)dnl
define(`confMAX_RCPTS_PER_MESSAGE’, ’50′)dnl
define(`confTRUSTED_USER’, `mailnull’)dnl
define(`confMAX_MESSAGE_SIZE’, 204800000)dnl
dnl TIMEOUT settings – Bat book 24.9.109
define(`confTO_INITIAL’, `2m’)dnl
define(`confTO_CONNECT’, `2m’)dnl
define(`confTO_ICONNECT’, `30s’)dnl
define(`confTO_HELO’, `2m’)dnl
define(`confTO_MAIL’, `5m’)dnl
define(`confTO_RCPT’, `15m’)dnl
define(`confTO_DATAINIT’, `2m’)dnl
define(`confTO_DATABLOCK’, `5m’)dnl
define(`confTO_DATAFINAL’, `30m’)dnl
define(`confTO_RSET’, `5m’)dnl
define(`confTO_QUIT’, `2m’)dnl
define(`confTO_MISC’, `2m’)dnl
define(`confTO_COMMAND’, `5m’)dnl
define(`MILTER’, `1′)dnl
define(`confMILTER_LOG_LEVEL’, `9′)dnl

FEATURE(access_db, `hash -o -T /etc/mail/access’)
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable’)
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable’)

FEATURE(`redirect’)dnl
FEATURE(`use_cw_file’)dnl
FEATURE(`always_add_domain’)dnl
FEATURE(`smrsh’, `/usr/sbin/smrsh’)dnl
MAIL_FILTER(`mimedefang’, `S=local:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=C:15m;S:4m;R:4m;E:10m’)dnl
define(`confINPUT_MAIL_FILTERS’, `mimedefang’)dnl

DAEMON_OPTIONS(`Name=IPv4, Family=inet’)

MAILER(local)
MAILER(smtp)

FreeBSD, MIMEDefang

First stab at MIMEDefang on a FreeBSD box. The server is an older Dell PowerEdge 2650 that was loaded with base FreeBSD 6.1 about two months ago. I just updated to FreeBSD 6.2-RELEASE yesterday without a hitch. Also, ports are up to date and portupgrade was run.
The following sources were used for information:

• MIMEDefang HOWTO
• Notes on Installing MIMEDefang from the FreeBSD Ports Collection

My process:

• Install Perl
• cd /usr/ports/perl5.8
• make
• make install
• Received error that perl-5.8.8 was already installed (oops)
• make clean
• Sendmail is installed
• Version 8.13.8
• Verify that milter support is compiled
• sendmail -Ac -d0.1 -bv root
• Install ClamAV
• Version 0.88.7
• cd /usr/ports/security/clamav
• make
• make install
• Error message that clam was already installed
• make deinstall
• make reinstall
• Install MIMEDefang
• Version 2.58
• cd /usr/ports/mail/mimedefang
• make
• Error again

Basically, I’ve hosed this up by doing some binary package installation previously, it would appear. Brain fade.

What now? Flatten the box? Looks like I installed clam, mysql, perl, and mimedefang previously.

No, apparently this isn’t all that bad. Think I’ll just work with what’s there for now.

Dell PE 2650, FreeBSD, MIMEDefang

Took a first stab at Gentoo yesterday on my Dell Latitude D820. So far I’ve got everything working except the Intel 3945 wireless adapter. It’s up in KDE with nVidai support. Eth0 is working. Most things look pretty good. In the process though, I found several good links on Gentoo and the hardware in the D820:

• Gentoo Linux on a Dell Latitude D820 Notebook
• HARDWARE Dell Latitude D820
• ipw3945 wireless drivers
• HARDWARE ipw3945
• Gentoo Handbook – Wireless Networking

Dell Latitude D820, Gentoo, Intel 3945, Linux

I was listening to a PSW podcast from last January (post-ShmooCon) when they interviewed Richard Bejtlich.

They asked about FreeBSD, and he referenced this post on some advantages of FreeBSD and BSD in general.

FreeBSD

Well, I guess I couldn’t resist any longer. Gotta see if a blog will help keep the information mess under control. This is basically for my own use and abuse, but if you can find any benefit from it, be my guest.

Uncategorized