Author: Michael Blood
apache commands that ‘might’ make your server more PCI compliant
apache commands that ‘might’ make your server more PCI compliant
Add the following commands to you Apache configuration file to help make it more PCI compliant.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
Update: I have made some new notes in another blog post for requirements that helped a client pass an additional test with TrustWave
ip tables commands which ‘might’ make your firewall PCI compliant
ip tables commands which ‘might’ make your firewall PCI compliant
This is a list of the iptables commands that will setup a minimal firewall which ‘might’ be PCI compliant
This is primarily here to remind me, so I have a reference in the future.
I also have ports for FTP and SSH for a single developer IP as well as monitoring for a single monitoring server. The format is simple and can easily be changed for other services.
Be sure to replace ‘my.ip’ with your development ip, and ‘monitoring.ip’ with
This is on a Linux Ubuntu machine (of course)
apt-get install iptables iptables-persistent
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -s my.ip/32 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -s my.ip/32 -j ACCEPT iptables -A INPUT -p tcp --dport 5666 -s monitoring.ip/32-j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p udp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p udp --dport 443 -j ACCEPT iptables -A INPUT -j REJECT --reject-with icmp-host-unreachable iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP iptables-save > /etc/iptables/rules.v4
moving mysql databases using mysqldump & ssh
moving mysql databases using mysqldump & ssh
Moving MySQL Databases Using mysqldump
On old server:
Check the /etc/mysql/my.cnf file and make note of the address listed in bind-addresses.
On the new server:
When you install mysql, define a temporary password to root. This password will get overwritten during the transfer, after a restart of the mysql service.
Add a new interface eth0:x in /etc/network/interfaces with the ip address noted in the old server’s /etc/mysql/my.cnf file. LEAVE THIS INTERFACE DOWN UNTIL THE FINAL SWITCH.
Edit the /etc/mysql/my.cnf file
bind-addresses = <address of the new server> or, less specific, 0.0.0.0
Restart the service mysql. NOTE: reload doesn’t load the changes in my.cnf.
Service mysql restart
Use this command to move the databases:
ssh (your username)@(old-server’s FQDN or IP) “mysqldump -u (db-username, probably root) –all-databases > /(dirpath)/(filename)” | “mysql -u root -p (temp pw designated at mysql install on the new server) -h (ip address of new server) < /(dirpath)/(filename)”
NOTE: After the restoration of the databases on the new server, your current credentials will work until the mysql service is restarted.
If, for any reason, you need to do a complete re-install of MySQL, use this procedure to remove MySQL completely from server:
service mysql stop #or mysqld
deluser mysql
delgroup mysql
killall -9 mysql
killall -9 mysqld
apt-get remove –purge mysql-server mysql-client mysql-common
apt-get autoremove
apt-get autoclean
rm -rf /var/lib/mysql
Then re-install:
apt-get install mysql-server
ssh-keygen -R (FQDN)
Matt Long
3/31/2015
PCI SAQ Security Links
PCI SAQ Security Links
It seems there are a couple Google searchs that can be done to help find the forms you need to fill out the SAQ as a Self Reporting Web Hosting Company of links out there. But it took me a little bit to put them all together.
I am not a PCI Security Consultant so dont take this as any kind of gospel, but here are the forms I found that I needed.
To fill out the Attestation of Compliance SAQ D 3.0 for Service Providers, get the form here:
https://www.pcisecuritystandards.org/documents/SAQ_D_v3_ServiceProvider.pdf
If you are not a service provider, perhaps you need a different form
For a quick reference, see their file here
https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
The PCI DSS Glossary has details of many of the items mentioned in the form
https://www.pcisecuritystandards.org/security_standards/glossary.php
Installing tsung on an amazon t2.micro server
Installing tsung on an amazon t2.micro server
install ubuntu 14.04
#apt-get update #apt-get install erlang erlang-dev erlang-eunit #wget http://tsung.erlang-projects.org/dist/tsung-1.5.1.tar.gz #tar -xvzf tsung-1.5.1.tar.gz #cd tsung-1.5.1 #make #make install #tsung-recorder start
That is it!! you are now collecting data and you can run a recording session.
———————–read below for instructions on a failed attempt
Install Ubuntu 14.04, launch and run
#apt-get update #apt-get install tsung
still comes up with a crash report becuase tsung is attempting to use the wrong version of erlang, it seems that the tsung build expects a different version of erlang, perhaps becuase the versions that are considered the most up to date by debian are not compatile
—–read below if you want instructions that i started but did not work because amazons yum based AMI sucks compared to ubuntu
apt-Once you launch and connect to the Amazon server (i choose a small amazon server which already has the amazon cli tools installed)
#sudo yum update
#sudo yum --nogpgcheck install http://tsung.erlang-projects.org/dist/redhat/tsung-1.5.1-1.fc20.x86_64.rpm
#sudo ln -s /usr/bin/erl /bin/erl #(not sure why the package install erlang in one location and tsung looks in another ....)
Now you are ready to run the tsung command to record your session
#tsung-recorder start -d 7 -P htt
But you get the error below…
Starting Tsung recorder on port 8090
[root@ip-172-16-1-236 ~]# {"init terminating in do_boot",{undef,[{tsung_recorder,start,[]},{init,start_it,1},{init,start_em,1}]}}
Crash dump was written to: erl_crash.dump
init terminating in do_boot ()
Installing Veeam Backup for VMWare
Installing Veeam Backup for VMWare
This is a “From Scratch” implementation of Veeam backup & Replication 8.0 for VMWare.
I’ll be installing B&R (Backup & Replication) on a VM on the target server, which is running EXSi 5.5, and installing the Enterprise Management Console on a workstation.
Download Veeam B&R from Veeam’s website. You’ll have to register, and make sure you use an email address that isn’t public (e.g. gmail,yahoo, etc.) or you won’t get access to the things you’ll need. Get the B&R ISO, the license file, and the latest patch.
Check the release notes for system requirements. Here’s a helpful Installation Guide on Veeams Help Center:
http://helpcenter.veeam.com/backup/80/vsphere/index.html?install_vbr_1.html
Hardware requirements are: at least 2 cores 4GB RAM MINIMUM.
My VM has:
2 cores
8GB RAM
100GB Hard Drive NOTE: the fully set up machine came to 38GB.
I’m installing on a Windows 7 Pro VM and found that I needed Service Pack 1,Powershell 2.0, and Internet Explorer 9 or higher. These aren’t included in the Veeam installation package. I’ve also downloaded and installed Microsoft Security Essentials.
The filenames for these updates are:
Windows6.1-KB2819745-x64-MultiPkg.exe, IE11-Windows6.1-x64-en-us.exe, and windows6.1-KB976932-X64.exe
After meeting all of the prerequisites I began the installation. choosing the default settings and letting the installation add the required software bundled with it.
Install any patches issued by veeam.
Setting up Nagios monitoring on Windows 2003r2 through a Firewall
Setting up Nagios monitoring on Windows 2003r2 through a Firewall
Download nrpe_nt, currently nrpe_nt.0.8b-bin.zip Extract to the root of c: on the Target Windows Machine. You should have a directory called c:nrpe, that contains a sub-directory called bin. Download the plugins, currently nrpe_nt_plugins.zip. Unzip this file and place the executables in a directory called c:nrpepluginsbin Change to the c:nrpebin directory, edit the nrpe.cfg file to look like this: server_port=<port# you'll use for this particular Target Machine> server_address=<This Target Machine's IP Address> allowed_hosts=<The IP Address of your Nagios Server> debug=1 command_timeout=30 loglevel=7 command[check_cmd]=C:nrpebintest.cmd command[check_cpuload]=C:nrpepluginsbincpuload_nrpe_nt.exe 70 90 command[check_disk_c]=C:nrpepluginsbindiskspace_nrpe_nt.exe c: 70 90 command[check_disk_d]=C:nrpepluginsbindiskspace_nrpe_nt.exe d: 70 90 command[check_disk_e]=C:nrpepluginsbindiskspace_nrpe_nt.exe e: 70 90 command[check_memload]=C:nrpepluginsbinmemload_nrpe_nt.exe 70 90 open a command prompt, and: cdnrpebin nrpe_nt -i You should get a confirmation that the service was created successfully. Go to Administrative Tools > Services and start the service You can test that the client is listening on the designated port on the Windows Target Machine:netstat -aon | findstr <port#>Test the connection from the CLI at the nagios server: /usr/lib/nagios/plugins/check_nrpe -H <IP of the Firewall> -p 1248 MEMUSE -p <port# defined in the firewall and configured in nrpe.cfg on the target> On the Nagios Server, in the /etc/nagios3/conf.d/check_nrpe.cfg file, define a command that will use the -p switch to allow for a port # argument: define command { command_name check_nrpe_port command_line /usr/lib/nagios/plugins/check_nrpe -t20 -H $HOSTADDRESS$ -c $ARG1$ -p $ARG2$ } -c = The command executable on the Target Machine in c:nrpepluginsbin -p = the port # In the /etc/nagios3/conf.d/hosts_orig.cfg file, create your host using the ip address of the firewall. define host{ use test-host host_name test-dc1 alias test-dc1 address <IP Address of the Gateway> In the /etc/nagios3/conf.d/services.cfg file, create the services for your host using the host_name defined above and the command name you created with arguments. Set your port number for this Target Machine here, making sure the port# matches the Target Machine where you defined that port#. define service{ use test-template host_name test-dc1 service_description disk C: check_command check_nrpe_port!check_disk_c!5667 } define service{ use test-template host_name test-dc1 service_description CPU load check_command check_nrpe_port!check_cpuload!5667 } define service{ use test-template host_name test-dc1 service_description memory load check_command check_nrpe_port!check_memload!5667 } Reload nagios and check for errors. Service nagios3 reload At the firewall: Note: This example is using a Safe@Office 500P firewall, so the terminology may be different. You will need to create a service using tcp protocol and corresponding to each nrpe port number that you'll be using. In this case, I'm using 5666 through 5671. In my case, these settings were under Network > Services in the 500P configuration web interface. Create a new network object for the Nagios Server using its IP Address You'll need network objects for the Target Machines that you'll be monitoring. Create “allow and Forward” rules for each of your Target Machines using the service for the port # you assigned to that Target Machine: Service = Standard Service, The service w/correct port for you Target machine Source = Your Nagios Server Destination = “This Gateway” Forward to = Target Machine Continue by configuring your Nagios Server to monitor these new Targets. When defining the host in the hosts.cfg file for Nagios, use the firewall's gateway IP Address Matt Long 02/05/2015
Adding and Removing Local Storage From XenServer
Adding and Removing Local Storage From XenServer
To add local storage XenServer 6.x
get your device id’s with:
ll /dev/disk/by-id
The host uuid can be copied and pasted from the general tab of your host in XenCenter.
Create your storage:
xe sr-create content-type=user device-config:device=/dev/sdb host-uuid=<Place the host’s UUID here> name-label=”<Name your local storage here>” shared=false type=lvm
NOTE: Make sure that “shared=” is false. If you have shared storage on a hypervisor, you won’t be able to add it to a pool. When a hypervisor is added to a pool, its local storage is automatically shared in that pool.
NOTE: Replace sdb in the above command with the device that you’re adding.
To Remove local storage XenServer 6.x
Go to console in XenCenter or log in to your xenserver host via ssh
List your storage repositories.
xe sr-list
You will see something like this:
uuid ( RO) : <The uuid number you want is here>
name-label ( RW): Local storage
name-description ( RW):
host ( RO): host.example.com
type ( RO): lvm
content-type ( RO): user
uuid string is the Storage Repository uuid (SR-uuid) that you need to be able to do the next step.
Get the Physical Block Device UUID.
xe pbd-list sr-uuid=Your-UUID
uuid ( RO) This is the PBD-uuid
Unplug the local storage.
xe pbd-unplug uuid=Your-PBD-uuid
Delete the PBD:
xe pbd-destroy uuid=your-PBD-uuid
Forget ( remove ) the Local storage from showing up as detached.
xe sr-forget uuid=your-SR-uuid
Now check your XenCenter that it’s removed.
Error While Installing PGAdmin v1.20.0 for Windows
Error While Installing PGAdmin v1.20.0 for Windows
go to:
http://www.pgadmin.org/download/windows.php
Download the latest version. At the time of this post it was v1.20.0.
Unzip the file and run the .msi file.
I encountered an error after the installation when running the program to the affect of:
MSVCP120.dll is missing
This file relates to Microsoft Visual C++. The redistributable package can be found here:
http://www.microsoft.com/en-us/download/details.aspx?id=40784
After downloading and installing the x64 package (I’m running Win7 x64), I still encountered the error.
This problem was resolved by downloading and installing the x86 package.
Matt Long
1/22/2015
Configuring Bind9
Configuring Bind9
This doc will show how to create the conf files for and test bind9.
Configuration files are located at /etc/bind
Become root
Create a sub-directory to store the conf files. In this doc, it will be “zones”
cd /etc/bind/
mkdir zones
Copy the default conf file that you’ll use to zones
cp db.local ./zones/example.com.db.local
Where example.com is your domain
Edit this file
cd zones
nano example.com.db.local
The file should appear as follows:
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
make the changes to the file to appear as this:
NOTE: Don’t forget the periods after the domain names
xxx.xxx.xxx.xxx = the target machines’ IP Address
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA example.com. host.example.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.example.com.
@ IN A xxx.xxx.xxx.xxx
@ IN AAAA ::1
;
ns1 IN A xxx.xxx.xxx.xxx
mail IN A xxx.xxx.xxx.xxx
www IN A xxx.xxx.xxx.xxx
;
example.com. IN MX 10 mail.example.com.
;
Computer-Name IN CNAME www
These changes will create “A” records for ns1, (which is your dns server), and also mail and www.
It further creates an MX or Mail Exchange record for mail.example.com.
It creates an alias, or “CNAME” for “Computer-Name”.
Rules to remember:
a ; is used to uncomment. # doesn’t work here.
in-addr.your MX record must have a corresponding “A” Record. It can’t be a CNAME.
Now, create a file in your zones directory titled example.com.in-addr.arpa.local. This is for reverse lookups.
Edit the file to look like this:
$TTL 604800
@ IN SOA example.com. root.example.com. (
2010081401;
28800;
604800;
604800;
86400 );
;
IN NS ns1.example.com.
4 IN PTR example.com.
Edit the file /etc/bind/named.conf.local
This is where you’ll point the bind service to the files that you created in the zones directory
Make the file look like this:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include “/etc/bind/zones.rfc1918”;
zone “example.com” { NOTE: THIS DOMAINNAME ENTRY IS, IN FACT, IN QUOTES
type master;
file “/etc/bind/zones/example.com.db.local”;
};
zone “3.2.1.in-addr.arpa” {
type master;
file “/etc/bind/zones/example.com.in-addr.arpa.local”;
};
As you can see in the example above, The “file” statements correspond with the path and filenames you created.
Restart the service:
service bind9 restart
To test:
Look at the syslong file
grep bind /var/log/syslog
It should look something like this:
Jan 26 15:54:13 mtxfarm-matt-test named[4602]: starting BIND 9.8.1-P1 -u bind
Jan 26 15:54:13 mtxfarm-matt-test named[4602]: built with ‘–prefix=/usr’ ‘–mandir=/usr/share/man’ ‘–infodir=/usr/share/info’ ‘–sysconfdir=/etc/bind’ ‘–localstatedir=/var’ ‘–enable-threads’ ‘–enable-largefile’ ‘–with-libtool’ ‘–enable-shared’ ‘–enable-static’ ‘–with-openssl=/usr’ ‘–with-gssapi=/usr’ ‘–with-gnu-ld’ ‘–with-geoip=/usr’ ‘–enable-ipv6’ ‘CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2’ ‘LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro’ ‘CPPFLAGS=-D_FORTIFY_SOURCE=2’
Jan 26 15:54:13 mtxfarm-matt-test named[4602]: loading configuration from ‘/etc/bind/named.conf’
Jan 26 15:54:13 mtxfarm-matt-test named[4602]: reading built-in trusted keys from file ‘/etc/bind/bind.keys’
Jan 26 15:54:13 mtxfarm-matt-test named[4602]: set up managed keys zone for view _default, file ‘managed-keys.bind’
Look for errors or warnings
Use the command “dig” using one of the FQDN’s that you defined in you example.com.db.local file:
dig mail.example.com @xxx.xxx.xxx.xxx
in place of xxx.xxx.xxx.xxx, use your new dns server’s ip address.
You should see this:
; <<>> DiG 9.8.1-P1 <<>> mail.test-matt.com @206.207.94.34
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48761
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
mail.example.com. 604800 IN A xxx.xxx.xxx.xxx
;; AUTHORITY SECTION:
example.com. 604800 IN NS ns1.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 604800 IN A xxx.xxx.xxx.xxx
;; Query time: 1 msec
;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
;; WHEN: Mon Jan 26 16:02:52 2015
;; MSG SIZE rcvd: 86
add an “mx” to the end of that dig command and use just the domain name (example.com) to test your mx record.
dig example.com @xxx.xxx.xxx.xxx mx
It should look like this:
; <<>> DiG 9.8.1-P1 <<>> mail.test-matt.com @206.207.94.34 mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26489
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;mail.example.com. IN MX
;; ANSWER SECTION:
example.com. 604800 IN MX 10 mail.example.com.
;; AUTHORITY SECTION:
example.com. 604800 IN NS ns1.example.com.
;; ADDITIONAL SECTION:
mail.example.com. 604800 IN A xxx.xxx.xxx.xxx
ns1.example.com. 604800 IN A xxx.xxx.xxx.xxx
;; Query time: 1 msec
;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
;; WHEN: Mon Jan 26 16:06:10 2015
;; MSG SIZE rcvd: 77
Matt Long
01/26/2015