David Piniella

Schneier on Security. One of the best infosec blogs out there.

this is pretty big: http://www.itgovernance.co.uk/blog/cryptolocker-victims-to-get-files-back-for-free/

anything in [square brackets] needs to be changed or specified

First, define the QoS (CoS — Class of Service — in Juniper parlance) filters. This entails creating the classifiers, drop-profiles, forwarding-classes, scheduler-maps and schedulers. For the needs of this particular setup, I had to guarantee that the network control traffic (hellos, keepalives, etc) got through and the rest of the 30meg pipe that provided the office internet was to be shaped to prioritize traffic sensitive to delay (read: VoIP).

set interface [interface] per-unit-scheduler
set class-of-service classifiers dscp [mark_traffic_filter] forwarding-class expedited-forwarding loss-priority low code-points ef
set class-of-service classifiers dscp [mark_traffic_filter]  forwarding-class network-control loss-priority low code-points nc1
set class-of-service classifiers dscp [mark_traffic_filter] forwarding-class assured-forwarding loss-priority low code-points af11
set class-of-service classifiers dscp [mark_traffic_filter] forwarding-class best-effort loss-priority medium-low code-points be
set class-of-service drop-profiles be_drop_profile fill-level 50 drop-probability 10
set class-of-service drop-profiles be_drop_profile fill-level 75 drop-probability 15
set class-of-service drop-profiles be_drop_profile fill-level 95 drop-probability 20
set class-of-service forwarding-classes queue 0 best-effort
set class-of-service forwarding-classes queue 0 priority low
set class-of-service forwarding-classes queue 1 assured-forwarding
set class-of-service forwarding-classes queue 1 priority high
set class-of-service forwarding-classes queue 2 expedited-forwarding
set class-of-service forwarding-classes queue 2 priority high
set class-of-service interfaces reth0 unit 102 scheduler-map [name_cos_filter]
set class-of-service interfaces reth0 unit 102 shaping-rate 30m
set class-of-service scheduler-maps [name_cos_filter] forwarding-class network-control scheduler nc_scheduler
set class-of-service scheduler-maps [name_cos_filter] forwarding-class expedited-forwarding scheduler ef_scheduler
set class-of-service scheduler-maps [name_cos_filter] forwarding-class assured-forwarding scheduler af11_scheduler
set class-of-service schedulers ef_scheduler transmit-rate 29m
set class-of-service schedulers ef_scheduler buffer-size percent 30
set class-of-service schedulers ef_scheduler priority high
set class-of-service schedulers af11_scheduler transmit-rate remainder
set class-of-service schedulers af11_scheduler buffer-size percent 50
set class-of-service schedulers af11_scheduler priority medium-high
set class-of-service schedulers nc_scheduler transmit-rate 1m
set class-of-service schedulers nc_scheduler buffer-size percent 20
set class-of-service schedulers nc_scheduler priority strict-high

Once the CoS stuff is in place, you have to apply it to a firewall policy, so that it actually affects traffic:

set firewall family inet filter egress_cos_filter term office_voip from destination-address 1.1.1.0/24
set firewall family inet filter egress_cos_filter term office_voip from destination-address 256.256.256.0/24
set firewall family inet filter egress_cos_filter term office_voip from destination-address 192.168.2.0/22
set firewall family inet filter egress_cos_filter term office_voip from destination-address 127.0.0.0/22
set firewall family inet filter egress_cos_filter term office_voip from protocol udp
set firewall family inet filter egress_cos_filter term office_voip from destination-port 3479
set firewall family inet filter egress_cos_filter term office_voip from destination-port 15044
set firewall family inet filter egress_cos_filter term office_voip from destination-port 5060
set firewall family inet filter egress_cos_filter term office_voip from destination-port 5199
set firewall family inet filter egress_cos_filter term office_voip then count office_voip
set firewall family inet filter egress_cos_filter term office_voip then forwarding-class expedited-forwarding
set firewall family inet filter egress_cos_filter term non_voip_traffic then count non_voip_traffic_counter
set firewall family inet filter egress_cos_filter term non_voip_traffic then forwarding-class assured-forwarding
set firewall family inet filter egress_cos_filter term non_voip_traffic then accept

The count office_voip part of the filter stanza is there just to verify that the filter is actively affecting traffic (the office_voip count should go up if it is).

Further reading:

http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-interfaces-and-routing/default-cos-section.html

http://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/cos-qfx-series-traffic-control-profiles-understanding.html

http://dataplumber.wordpress.com/2011/12/30/junos-qos-notes/

http://jsrx.juniperwiki.com/index.php?title=COS

Why the Security of USB Is Fundamentally Broken | Threat Level | WIRED.

Enabling user authentication on linux against Active Directory, using ubuntu, sssd and AD 2008 (should work with 2003r2)
1. Install the software you need:

apt-get install realmd sssd samba-common samba-common-bin samba-libs sssd-tools krb5-user adcli

2. vi /etc/sssd/sssd.conf and put this in it:

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

3. chmod 0600 /etc/sssd/sssd.conf

4. vi /etc/realmd.conf and put this in it:

[service]
 automatic-install = no

5. run kinit Administrator@YOURDOMAIN.ALLINCAPS.TLD
6. run realm –verbose join yourdomain.allincaps.tld \
–user-principal=ubuntuserverhostname/Administrator@YOURDOMAIN.ALLINCAPS.TLD –unattended
You should have more content inside sssd.conf now, in the [domain/YOURDOMAIN.ALLINCAPS.TLD] section.
7. vi /etc/sssd/sssd.conf and comment out the line use_fully_qualified_names = True

You should now be able to su – to a domain user.

That’s it, you’re done: you can login to your linux box by authenticating to your Active Directory domain.

Additional (and optional) stuff is below, like adding groups and restricting logins based on groups.

Additional settings inside /etc/sssd/sssd.conf [domain] section to enable groups:

 [domain/yourdomain.allincaps.tld]
 ad_domain = yourdomain.allincaps.tld
 krb5_realm = YOURDOMAIN.ALLINCAPS.TLD
 realmd_tags = manages-system joined-with-adcli
 cache_credentials = True
 id_provider = ad
 krb5_store_password_if_offline = True
 default_shell = /bin/bash
 ldap_id_mapping = True
## comment out
#use_fully_qualified_names = True
## these will need to be created manually or you will need to modify pam to 
## mkdir them with pam_mkhomedir.so or use oddjob-mkhomedir, see below
 override_homedir = /home/%u
 fallback_homedir = /home/%d/%u
##group settings##
 ldap_group_uuid = objectGUID
 ldap_user_uuid = objectGUID
 ldap_group_member = member
 ldap_user_member_of = memberOf
 ldap_user_uid_number = uidNumber
 ldap_group_nesting_level = 1
 ldap_force_upper_case_realm = True
 ldap_user_principal = userPrincipalName
 ldap_user_object_class = user
 ldap_user_gid_number = gidNumber
 ldap_group_modify_timestamp = whenChanged
 ldap_group_object_class = group
 ldap_group_name = cn
 ldap_user_name = sAMAccountName
 ldap_ns_account_lock = userAccountControl
 ldap_user_home_directory = unixHomeDirectory
 ldap_user_modify_timestamp = whenChanged
 ldap_group_gid_number = gidNumber
 ldap_referrals = false
 ldap_group_nesting_level = 0

Test that groups are working by su’ing to an AD user and typing in “groups”, which will show you what groups your user is a member of.

To make the homedirectory autocreate:

1. edit /etc/pam.d/common-session (/etc/pam.d/session-auth in RHEL)and add this line before any pam_ldap or pam_krb5 lines:

#autocreate user homedirs
 session required pam_mkhomedir.so umask=0022 skel=/etc/skel

To limit login by AD group:

1. Create a file that will have the group names allowed to login:

   vi /etc/login.allowed.per.ad.group

   and populate it with group names, one per line (I created an AD group called linux-login, to limit which users were allowed to login), like so:

   root
   wheel
   domain\ admins
   linux-login

2. edit /etc/pam.d/common-auth (in RHEL this is /etc/pam.d/system-auth) and add this line to it:

   auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.allowed.per.ad.group

To allow an AD group to have access to sudo:

1. visudo
2. add the AD groups

%domain\ admins ALL=(ALL) ALL

%linux-sudo ALL=(ALL) ALL

Further reading:
Allow/Deny login per group:
http://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html

Various bits, mostly to do with LDAP authentication, but can be translated for use with AD/sssd/pam (e.g. homedir creation)
https://help.ubuntu.com/community/LDAPClientAuthentication

http://www.chriscowley.me.uk/blog/2014/06/17/new-linux-active-directory-integration/

http://funwithlinux.net/2014/04/join-ubuntu-14-04-to-active-directory-domain-using-realmd/

http://linux.tvortex.net/2011/10/sssd-against-active-directory-2003.html

https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server

On the AD side:

1. Install NPS on your AD DC.
2. Create a key (http://dice.neko-san.net/2012/08/linking-junos-authentication-to-active-directory-using-radius/ has screenshots, if you need that sort of thing.)
3. add clients (your switches/firewalls)

See also http://blog.arwin.me/os/cisco/how-to-setup-cisco-ios-to-authenticate-via-active-directory/

On a Cisco ASA:

aaa-server RADIUS protocol radius
aaa-server RADIUS host [IP address of your RADIUS box / AD machine running NPS] key [key]
radius-common-pw [key]
aaa authentication telnet console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication https console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL

On a Cisco switch:

This example shows local authentication, which lets you Telnet into the router with username “cisco” and password “cisco.”

aaa new-model
username cisco password 0 cisco
line vty 0 4
transport input telnet

In order to test authentication with SSH, you have to add to the previous statements in order to enable SSH.

ip domain-name host.domain.tld
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2

If you want to prevent non-SSH connections, add the transport input ssh command under the lines to limit the router to SSH connections only.

line vty 0 4
transport input ssh
cry key gen rsa
ip ssh time-out 30
ip ssh version 2
line vty 0 4
transport input ssh

On a Juniper switch or firewall running JunOS:

set system authentication-order [radius password]
set system radius-server [IP Address of DC running NPS] secret [key]
set system radius-server [IP Address of DC running NPS] source-address [IP Address of interface that will communicate to DC]
set system radius-options password-protocol mschap-v2
set system login user [username] full-name "[Full User Name]" uid 9999 class super-user
# NOTE this erases your local password, so that ONLY the Domain password is allowed. This is more secure but more of a PITA if your NPS box craps out.
delete system login user [username] authentication encrypted-password

What I didn’t tell my neighbor was that I spent about 30 seconds in the stairwell scanning his keys with software that would let me reproduce them with no specialized skills whatsoever. The iPhone app I used wasn’t intended for anything so nefarious: KeyMe was designed to let anyone photograph their keys and upload them to the company’s servers. From there, they can be 3-D printed and mail-ordered in a variety of novelty shapes, from a bottle opener to Kanye West’s head.

via The App I Used to Break Into My Neighbor’s Home | Threat Level | WIRED.

The Linux Foundation announced that it would be working with edX, a non-profit online learning site governed by Harvard and MIT, to make its “Introduction to Linux” course free and open to all.

The Linux Foundation has long offered a wide variety of training courses through its website, but those can generally cost upwards of $2,000. This introductory class, which usually costs $2,400, will be the first from the Linux Foundation to run as a Massive Open Online Course (MOOC). There is no limit on enrollment through edX’s platform.

via $2,400 “Introduction to Linux” course will be free and online this summer | Ars Technica.

Vim Awesome.

Google swaps out MySQL, moves to MariaDB

‘They’re moving it all,’ says MariaDB Foundation headman

via Google swaps out MySQL, moves to MariaDB • The Register.