www.jclaudius.net/blog

It’s always been an interest of mine to integrate operating system environments.  I’m not sure if it’s a genuine interest in using a single product for user management or an inability to decide on a single operating system.  Anyways, I started playing around with likewise-open this week for the first time.

Likewise-open according their website is a “free, open source application that joins Linux, Unix and Mac machines to Microsoft Active Directory and securely authenticates users with there domain credentials.”  It sounded good, but I had to test it to be absolutely sure this wasn’t another WinBind/Kerberos configuration nightmare (Ironically Like-wise is based on Winbind).

I started out with a patched A/D Domain Controller and a patched Ubuntu Desktop 8.10.  I performed the following as recommended by likewise on the Ubuntu system.

Install likewise-open

Join to the domain

-OR YOU CAN USE THE GUI-

You can’t ask for a faster way to add a non-windows host to the domain.  What I also found pretty interesting what that it populated the Operating System Version to the properties of the host object in A/D.  After that you can simply logout and login as a domain user using the “domain\user” format.  I was expecting a bigger challenge here, but it looks like likewise-open has their act together.

Another useful command when you are testing is removing the machine from the domain.

Removing the system from the domain

That last item that I have yet to dig into is access control to the host once you are part of the domain.  As a domain administrator in the test domain I was not immediately granted sudo access to the ubuntu workstation, but I’m guessing there is some way to configure the host to allow certain domain groups to perform certian tasks.  I’m eye balling the likewise-enterprise software that they have a 30-day trial that boasts AD integration, group policy management, single sign-on for applications, network security, compliance and sudo management.

…I wonder if it will wash my car?…

Anyways, it looks like a pretty cool product and if it does all the things it promises then it’s a well needed tech in the market place.  It’s not broken any promises to me just yet.  Maybe when I start pushing the limits of the free version I’ll start complaining, but for now it’s on my watch list.

So I started pulling stats on this blog a little while ago just to see who was peeking in on my posts and where they were coming from.  I started using statcounter.com and it’s awesome for a free service.  I wanted to share a little of the information for my fellow blogging friends so they know to expect should they also want to know who’s peeking in on their posts.

The first graph that I found particularly interesting was the activity map that showed where my hits were coming from around the world.

The next set of information that I thought was surprisingly interesting was the distribution of web browsers hitting the site.  I was actually surprised to see that some people have already started using IE 8.0.

The last statistic was the google search terms that new visitors used to find my my site.  I’m not sure how it’s getting this information, but I really like knowing what people are looking for when they end up on my site.

Tonight was the night I finally got motivated enough to give our recently purchased blue ray player a connection to the Internet.  I originally tossed and turned on the decision, but now that I’m running the latest firmware and I love it.  Some unknown features that have recently been brought to light include being able to stream video and audio content from 3rd parties.  Two authorized third parties include NetFlix and Pandora both of which I am going to be using more in the coming weeks.  NetFlix has a two week trial so I’ll give it a try and see if it’s going to be a monthly expense.  From what I’ve seen in the demos it’s much more robust than any cable providers “ondemand” features.  I’m also pretty excited to see what comes out in the next firmware release scheduled for the 31st of this month.  With any luck another great feature will be revealed further reforcing my belief that getting this player was well worth the $150 ($399 on Samsung’s website) I paid at best buy.

Does anyone else have this player or a similar one that allows you to upgrade?  I’d be really interested to see what other vendors have done in this space and how it compares.  I’d also be curious to see if there are branch firmware sets that allow further customization beyond the standard manufacturer support (e.g. Linksys <-> dd-wrt/tomato/open-wrt). At any rate, I want every device I buy from here on out to have some form of “auto-update” feature to ensure my gear is kept up to snuff with added features and most importantly security updates.

Of course, like any like minded security professional, I scanned the thing to see what new interesting vulnerabilities I’d be introducing to my home network and funny enough  it came back running rpc over 111.  Maybe when I get more adventurous I’ll take a closer look and see if there are any vulnerabilities that need fixing/reporting.

***Update: A few hours later***

So after a reboot of the blue ray player the RPC bind port is closed.  Anyone got an unpatched version of this of the Samsung BP-2500?  I would surely like to know more about the RPC services enabled prior to patching.

So was tooling around on the web tonight and I finally found enough time to investigate the “new” server service vulnerability associated with Microsoft Security Bulletin MS08-067.  I’m some what partial to the Microsoft server service because it has been on my radar since 2006 with the announcement on Microsoft Security Bulletin MS06-040.  Since then, it’s been a constant pain for industry to make sure that all there systems are patched to this nasty little vulnerability and it looks like we’re going to need to be ready for round two.

Below is the “small” list the affected software…

• Microsoft Windows 2000 Service Pack 4
• Windows XP Service Pack 2
• Windows XP Service Pack 3
• Windows XP Professional x64 Edition
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 1
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP1 for Itanium-based Systems
• Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista and Windows Vista Service Pack 1
• Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
• Windows Server 2008 for 32-bit Systems*
• Windows Server 2008 for x64-based Systems*
• Windows Server 2008 for Itanium-based Systems

Just about the time I think I’m done with these something like this happens.  Should be an interesting year considering a lot of folks running 2003, 2K8 and Vista have something to fear again.

***Update 3 minutes later***

Exploit code has been released into the wild under the following…

• TrojanSpy:Win32/Gimmiv.A
• TrojanSpy:Win32/Gimmiv.A.dll

***Update 5 minutes later***

Just found it on milworm…

• http://milw0rm.com/exploits/6824
• http://milw0rm.com/sploits/2008-ms08-067.zip

***Update 10 minutes later***

Nessus has published a check for 2k, xp and 2k3

•  http://blog.tenablesecurity.com/2008/10/network-and-cre.html

***Update Thursday October 30th***

Well, it’s a wrap on this one.  The vulnerability code is now available in the SVN version of metasploit and soon to show up in the other versions.  That was fast!!!

So I’ve been reading up on JeOS (Just Enough OS), pronouced “juice”, the Ubuntu flavor that is optimized to run as a VMWare appliance.  I’m downloading it tonight and will provide an update on what I think.  I’m hoping to have some good news shortly as I’m just about fed up running a full blown OS for some utility servers I have.  I’ll be happy to cut down some of maintenance tasks and simplify the install and patch process.

Give it a spin yourself and let me know what you think…

http://cdimage.ubuntu.com/jeos/releases/hardy/release/jeos-8.04.1-jeos-i386.iso

*** UPDATE - 12:20AM ***

JeOS is pretty fast.  I was able to install everything the same way as a full OS, but it just seems to run a lot smoother in VMWare.  More info to come when I learn more.

*START RANT*

Why is it that organizations are still struggling with securing there mail infrastructure? It  baffles me that organizations will spend so much money on email spam filters, outsourced SMTP gateway providers and make such an effort to use encrypted protocols for client side transactions and then they still allow any IP on the internal network to communicate directly with the production SMTP service with absolutely no restrictions.

Considering that 70-80 percent (according to Forester and FBI/CSI) of major security breaches come from inside the organization you’d think that there would be more of a push to qurantine some of these rudimentary services off.  I can certainly understand if you have alerting software that can’t send via any protocol other than SMTP, but you pretty easily white list these systems.  You could set up a VBS script to query via LDAP and only allow them to send unauth’d messages.

*END RANT*

Well, I had some time last weekend and thought it would be fun to write a little perl script (see my projects page for the download) that when out and sent email to the world using a list of your internal SMTP servers.  Just perform an NMAP (4.75 just came out!) scan for TCP port 25 on all your ranges (with permission from IS security of course) and then take the systems running SMTP, add them to the script, customize the email addresses and run it.  You’ll then know what systems aren’t properly restricting access and maybe you’ll do something to fix it and save me another rant :).

So I finally decided that my Ubuntu server needed a little updating yesterday. Although I do perform regular security updates and other configuration changes, this just so happened to be the first time I’d done a full distribution upgrade on an Ubuntu box. This was mainly performed out of curiosity and not of out of need. Surprisingly enough, it was very easy and required little interaction on my part. Here are some of the easy steps if you want to update your Ubuntu server to the latest distribution (currently Ubuntu 8.04 LTS HardyHeron).

Note: It is highly advised that you back up any critical data or system files prior to performing this how-to on your server.

1.) Make a backup of your /etc/apt/sources.list file

2.) Open the sources file for editing

3.) Change the distribution references to the next logical upgrade, but only one at a time. You will need to complete all the steps in this how to for each logical step (dapper->feisty->gutsy->hardy) it will take you to get to the latest version. Use the following VI command (:%s/olddist/newdist/g) to change all the references in the sources.list file. For my first upgrade from dapper to feisty I used the following…

4.) Update the newly reference package list…

5.) Upgrade to the next distribution. If it asks to replace the config file for say Apache or PHP I would recommend leaving it the same (option “N”).  I have a few virtual hosts setup and the default site with Apache and some custom stuff in my PHP.ini and the production setup was unaffected by leaving the configs the same throughout the upgrades.

6.) Make sure everything ran ok. I ended up having to catch a plane while I was running the distribution upgrade in the airport and my SSH session terminated unexpectedly, which I thought was going to mess everything up. I ended up coming back today and running the second command listed below and it picked right up where it left off.

7.) Reboot your system…

8.) After it boots back up check your distribution…

9.) Rinse and repeat and make sure to make the necessary mods in step 3 to upgrade to the next logical distro until you’re running the latest version. Special thanks to rob-the.geek.nz and debainadmin.com for creating the original material I used to help perform my upgrade.  I just added some of my personal tid-bits to this document and made it my own reference for later.

PS - This is my first time using code-snippet and I love it.  Props to hackerforhire.org for reviving such a useful tool!

***Update (9/19/08)***

I’ve performed this process on three other systems that I manage and they all worked flawlessly from dapper to feisty to gutsy to hardy.  I’ve also received some feedback from some in-tar-web friends that have also successfully used this how-to to upgrade their systems too. W00t!

***Update (9/25/08)***

I noticed that my servers were acting a little sluggish so I jumped on the console and found a ton of device mapper errors.  I thought it was going to be  a big pain trying to resolve the issue, but apparently evms was installed during the upgrade process and has a known bug.  I ended up finding an article that suggested removing evms.  I used the following command followed by a reboot to resolve the issue.

So… I was just turned on to Hulu.com. This site allows you to watch TV and Movies for free online in great quality. You should check it out, now!

Network device management just made an up turn. I was on networkworld.com killing some time before a flight and found a review of this amazing tool called “ZipTie“. This tool is free and it does things that most commercial tools won’t do out of the box. It has a slew of great network management tools including configuration roll-back, nightly backups of your device configs, diff’s of devince configs to make sure that the running, startup and previous backup are in complete sync. It also does process batching so you can write a process to remove type 7 passwords on all your Cisco equipment and just hit apply on all your devices or any other former manual process. It’s just way ahead of it’s time, but not a minute too soon. I can’t wait to start using it in production to see it’s full feature set.

Check it out!!!! (www.ziptie.org)

Well, it’s the end of the day and I haven’t started a new personal project in some time. I think I’ve finally gotten fed up with my home setup to warrant a change. One of things that really bothers me when I work from home is not having a land line for conference calls. My roomy Chris, the VoIP expert, says this is really not that hard to accomplish. He says that I’ll have it up and running in one night with little effort. He says all I need is USB headset, a virtual machine running asterisk and an Internet connection.

I just purchased a Logitec USB Headset, I’m downloading the TrixBox ISO (An asterisk server) and I’m reading up on how this setup would work. I’m excited to try something that I have no clue what the final product will look like, but what’s a better time to learn than now!

In reading the personal blog of the TrixBox CEO I found this perl of a post (The Power of “I don’t Know”). Check it out!

I hope to post an update tonight on my status

***UPDATE***

It took a few hours, but I now have an internal PBX system configured on my internal network.  VoIP is very cool.  I’m very surprised on how easy it was to configure!