Category Archives: Linux

Deploying Joomla 1.5

This howto is based in Debian 5.0.

The first step to install joomla without issues, is install dependencies.

apt-get update && apt-get upgrade

Installing MySQL

apt-get install mysql-server mysql client

Installing Apache & PHP

apt-get install apache2 apache2-doc php5 php5-mysql libapache2-mod-php5

Testing php

vim /var/www/test.php

write this code inside:

<?php phpinfo(); ?>

http://iphost/test.php

Managing database

For maintain our mysql database we’ll use chive.

wget -O – http://launchpad.net/chive/0.4/0.4.0/+download/chive_0.4.0.tar.gz|tar -xzp

http://www.chive-project.com/Wiki/Installation

http://ipaddress/chive and enjoy!!

add mysql extension to php
vim /etc/php5/apache2/php.ini
extension=mysql.so

Add include module in apache
$ a2enmod include

/etc/init.d/apache2 restart

Install bzip2

apt-get install unzip zip

Database

We are going to create database for Joomla

mysql -u root -p

mysql> create database joomla;

Create user CREATE USER 'joomla'@'localhost' IDENTIFIED BY 'opensource';

Adding privileges…

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES  ON joomla.* TO 'joomla'@'localhost' IDENTIFIED BY 'opensource';

Enable Settings…

FLUSH PRIVILEGES;

Download and install Joomla:

cd /var/www
mkdir joomla
cd joomla

wget http://joomlacode.org/gf/download/frsrelease/13105/57240/Joomla_1.5.22-Stable-Full_Package.zip

unzip Joomla_1.5.22-Stable-Full_Package.zip

Permissions

chown -R www-data:www-data /var/www/joomla
find /var/www/joomla -type f -exec chmod 0644 {} \;
find /var/www/joomla -type d -exec chmod 0755 {} \;

Configure
Point your browser http://ipaddress/joomla and follow the steps

Don’t forget to remove the installation folder
rm -rf /var/www/joomla/installation/

See You!!

Advertisements

Asterisk & OSSEC Part.II

In this post I’m going to explain how to define rules, decoders and active response in OSSEC server to prevent attacks in our Asterisk.

This is a schema of how OSSEC handles every events received.

More information of OSSEC:
http://www.ossec.net/wiki/OSSEC
http://www.amazon.com/OSSEC-Host-Based-Intrusion-Detection-Guide/dp/159749240X

DECODERS

Firstly I’m going to config decoders. Default, there are some decoders of Asterisk for SIP protocol and I’ve added decoders for IAX protocol. At this moment I’m working to add more decoders for SIP, IAX, etc.

/var/ossec/etc# vim decoder.xml (in green my adds)

<!– Asterisk logs–>
<decoder name=”asterisk”>
<program_name>^asterisk</program_name>
</decoder>

<decoder name=”asterisk-hijacking”>
<parent>asterisk</parent>
<prematch>^WARNING[\d+]: \S+ in \S+: Don’t know </prematch>
<order>user</order>
<regex offset=”after_prematch”>^\S+ how to respond via ‘(\w+/\d.\d/\w+)'</regex>
</decoder>

<decoder name=”asterisk-denied”>
<parent>asterisk</parent>
<prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch>
<regex offset=”after_prematch”>^(\S+) failed for ‘(\d+.\d+.\d+.\d+)'</regex>
<order>srcip</order>
</decoder>

<decoder name=”asterisk-denied2″>
<parent>asterisk</parent>
<prematch>Registration from </prematch>
<regex offset=”after_prematch”>failed for ‘(\d+.\d+.\d+.\d+)'</regex>
<order>srcip</order>
</decoder>

<decoder name=”asterisk-iax-enumeration”>
<parent>asterisk</parent>
<prematch>^NOTICE[\d+]: \S+ in \S+: No registration for peer </prematch>
<regex offset=”after_prematch”>^'(\S+)’ \(\S+ (\d+.\d+.\d+.\d+)\)</regex>
<order>user, srcip</order>
</decoder>

<decoder name=”asterisk-iax-authentication-denied”>
<parent>asterisk</parent>
<prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch>
<regex offset=”after_prematch”>^(\d+.\d+.\d+.\d+) failed MD5 authentication for (\S+)</regex>
<order>srcip, user</order>
</decoder>

RULES

Secondly, We have to set rules:

/var/ossec/rules# vim asterisk_rules.xml (in

<!– Asterisk Log messages –>
<group name=”syslog,asterisk,”>
<rule id=”6200″ level=”0″>
<decoded_as>asterisk</decoded_as>
<description>Asterisk messages grouped.</description>
</rule>

<rule id=”6201″ level=”1″>
<if_sid>6200</if_sid>
<match>^NOTICE</match>
<description>Asterisk notice messages grouped.</description>
</rule>

<rule id=”6202″ level=”3″>
<if_sid>6200</if_sid>
<match>^WARNING</match>
<description>Asterisk warning message.</description>
</rule>

<rule id=”6203″ level=”3″>
<if_sid>6200</if_sid>
<match>^ERROR</match>
<description>Asterisk error message.</description>
</rule>

<rule id=”6210″ level=”5″>
<if_sid>6201</if_sid>
<match>Wrong password</match>
<description>Login session failed.</description>
<group>authentication_failed,</group>
</rule>

<rule id=”6211″ level=”5″>
<if_sid>6201</if_sid>
<match>Username/auth name mismatch</match>
<description>Login session failed (invalid user).</description>
<group>invalid_login,</group>
</rule>

<rule id=”6212″ level=”5″>
<if_sid>6201</if_sid>
<match>No matching peer found</match>
<description>Login session failed (invalid extension).</description>
<group>invalid_login,</group>

<rule id=”6250″ level=”10″ frequency=”6″ timeframe=”300″>
<if_matched_sid>6211</if_matched_sid>
<same_source_ip />
<description>Multiple failed logins (user enumeration in process).</description>
</rule>

<rule id=”6251″ level=”10″ frequency=”6″ timeframe=”300″>
<if_matched_sid>6210</if_matched_sid>
<same_source_ip />
<description>Multiple failed logins.</description>

</rule>

<rule id=”6252″ level=”10″ frequency=”6″ timeframe=”300″>
<if_matched_sid>6212</if_matched_sid>
<same_source_ip />
<description>Extension enumeration.</description>
</rule>

<rule id=”100007″ level=”5″>
<if_sid>6201</if_sid>
<match>No registration for peer</match>
<description>Login session failed (invalid iax user).</description>
<group>invalid_login,</group>

</rule>

<rule id=”100008″ level=”10″ frequency=”3″ timeframe=”300″>
<if_matched_sid>100007</if_matched_sid>
<same_source_ip />
<description>Extension IAX Enumeration.</description>
</rule>

<rule id=”100009″ level=”5″>
<if_sid>6202</if_sid>
<match>Don’t know how to respond via</match>
<description>Possible Registration Hijacking.</description>
<group>invalid_login,</group>
</rule>

<rule id=”100010″ level=”5″>
<if_sid>6201</if_sid>
<match>failed MD5 authentication</match>
<description>IAX peer Wrong Password.</description>
<group>invalid_login,</group>
</rule>

<rule id=”100011″ level=”10″ frequency=”3″ timeframe=”300″>
<if_matched_sid>100010</if_matched_sid>
<same_source_ip />
<description>Multiple failed logins.</description>
</rule>

</group> <!– ASTERISK –>

more information about rules : http://www.ossec.net/wiki/FAQ

ACTIVE-RESPONSE

Now we are going to define active response to protect our Asterisk.

vim /var/ossec/ossec.conf.

<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>local</location>
<agent_id>007</agent_id>
<level>10</level>
<rules_id>6252</rules_id>
<timeout>600</timeout>
</active-response>

We have defined an active response against extension enumeration attacks. When OSSEC detect this attack it’ll send to Asterisk a firewall-drop.sh script (iptables rule).

You can see different active responses in /var/ossec/active-response/bin/ directory.

TESTING

We’ve already configured our system and now We are going to test it.

http://code.google.com/p/sipvicious/downloads/list

1.- Search server with SIP port open: python  svmap.py 192.168.1.1-254

| 192.168.1.60:5060 | Asterisk PBX |

2.- We’ve discovered one server with SIP port opened. Now We are going to search extensions available.

python svwar.py -e0000-9999 192.168.1.60

Without protection of Ossec We can detect available extensions in our Asterisk
| Extension | Authentication |
——————————
| 4999      | reqauth        |

If We configure our Asterisk with this tutorial, this is the result of extensions scan.

sudo python svwar.py -e0000-9999 192.168.1.60
WARNING:root:found nothing
ERROR:TakeASip:socket error: timed out

Logs in our Ossec /var/ossec/alerts/logs/alerts.log:

** Alert 1274262205.108674992: mail  – syslog,asterisk,
2010 May 19 11:43:25 (asterisk) 192.168.1.60->/var/log/messages
Rule: 6252 (level 10) -> ‘Extension enumeration.’
Src IP: 192.168.210.48
User: (none)
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”361″<sip:361@192.168.1.60>’ failed for ‘192.168.210.48’ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”360″<sip:360@192.168.1.60>’ failed for ‘192.168.210.48’ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”359″<sip:359@192.168.1.60>’ failed for ‘192.168.210.48’ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”358″<sip:358@192.168.1.60>’ failed for ‘192.168.210.48’ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”357″<sip:357@192.168.1.60>’ failed for ‘192.168.210.48’ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”356″<sip:356@192.168.1.60>’ failed for ‘192.168.210.48’ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″<sip:355@192.168.1.60>’ failed for ‘192.168.210.48’ – No matching peer found

To check that Ossec has sent command to our Asterisk you can check active-response log (/var/ossec/logs/active-responses.log) or cheking in the ip tables rules of Asterisk

iptables in our Asterisk:

root@asterisk:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       0    —  192.168.210.48       anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       0    —  192.168.210.48       anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If you have any questions or need help, post here.


Ossim & Netflow

I have started to use OSSIM, to monitor network issues and security.
http://www.ossim.net/wiki/doku.php?id=installation

My first steps with OSSIM have been with Netflow module (nfsen).

This is a mini Howto, to configure Nfsen in OSSIM server, to monitor Cisco Routers.

Configure netflow in Cisco Router
config t
interface FastEthernet 0/0 (or whatever you want)
ip route cache-flow
exit

ip flow-export destination “dst ip” “dst port”
ip flow-export source “src interface”
ip flow-export version 5

ip flow-cache timeout active 1
ip flow-cache timeout inactive 15

exit
write mem

Whit this, We already configured our device

Configure Nfsen

Then We have to add this device in nfsen.conf:

%sources = (
‘Router’ => { ‘port’ => ‘9567’, ‘col’ => ‘#0000ff’, ‘type’ => ‘netflow’}
,
);

Afther this we have to reconfig nfsen:

/usr/nfsen/bin/nfsen reconfig

Now, I have started to configure OSSEC and Snort modules. When I have a good results I will post another howto with this modules.


Provisioning Linksys SPA922

When I started in the world of Asterisk, one of the important things to deploy a VoIP network is the segmentation of the network VLANs to separate voice and data. When I started two years ago, only knew two options:

– Use different network but this implies duplicate the number of the switches (much money and in my opinion unprofessional).
– Use VLAN’s to separate the networks. This option is better although requires much administrative work whenever there is change a site computer or telephone.

I was investigating the way this is done automatically and it seems that something went.

Here I leave an example implementation.

In this scenario We are going to configure a system to provisioning Linksys Phones (SPA922). Firts We have to configure our network LAN with 2 vlans (or more) to separate the data and voice network. We have used Cisco Switches (Catalyst 2960 and 3750).

Networking

The IP range ov Vlans are this:

Vlan 1 -> data network -> 192.168.1.0/24
Vlan 2 -> voice network -> 10.3.3.0/24

We need to have two DHCP servers, one in each vlan. In the vlan 1 we have configured one DHCP server (Windows 2003 Server) which will be the principal DHCP server. This is the configuration:

003 Router 192.168.1.1
006 DNS Servers 192.168.1.5 192.168.1.6
015 DNS Domain Name testing.lan.com
044 WINS/NBNS Servers 192.168.1.5
046 WINS/NBNS Node Type 0x8
066 Boot Server Host Name 10.3.3.3 (TFTP Server)

In the other Vlan (voIP), we have Asterisk server with DHCP server and TFTP Server. These are the configs:

apt-get install dhcpd

/etc/dhcp3# vim dhcpd.conf

subnet 10.3.3.0 netmask 255.255.255.0
{
range 10.3.3.100 10.3.3.254;
option domain-name-servers 192.168.1.6;
option routers 10.3.3.1;
option subnet-mask 255.255.255.0;
option broadcast-address 10.3.3.255;
option tftp-server-name "10.3.3.3";
default-lease-time 600;
max-lease-time 7200;
}

Provisioning

apt-get install atftpd

/etc/default# vim atftpd

USE_INETD=true
OPTIONS="--daemon --port 69 --tftpd-timeout 300 --retry-timeout 5 --mcast-port 1758 --mcast-addr 239.239.239.0-255 --mcast-ttl 1 --maxthread 100 --verbose=5 /tftpboot"

The tftp server configuration file indicates that the config are int tftpboot directory where we have configured the general config file for all phones and the especific config files to the phones too.

/etc/tftpboot# vim spa922.cfg

<flat-profile>

<!-- PROVISIONING -->
<Resync_Periodic>10</Resync_Periodic>
<Resync_Error_Retry_Delay>20</Resync_Error_Retry_Delay>
<Profile_Rule ua="na">/spa922-MAC/spa922-$MA.cfg</Profile_Rule>

<!-- SYSTEM -->
<Primary_NTP_Server ua="na">192.168.1.10</Primary_NTP_Server>
<Time_Zone ua="na">GMT+01:00</Time_Zone>

<!-- TIMERS -->
<Interdigit_Long_Timer ua="na">25</Interdigit_Long_Timer>

<!-- SIP -->
<Proxy_1_>10.3.3.3</Proxy_1_>

<Use_Auth_ID_1_ ua="na">No</Use_Auth_ID_1_>
<Preferred_Codec_1_>G711a</Preferred_Codec_1_>
<Use_Pref_Codec_Only_1_>no</Use_Pref_Codec_Only_1_>

<Dial_Plan_1_ ua="na">([1345]xxxS0|6xxxxxxxxS0|9xxxxxxxxS0|xx.)</Dial_Plan_1_>
<Enable_IP_Dialing_1_ ua="na">No</Enable_IP_Dialing_1_>

<Enable_VLAN ua="rw"> yes </Enable_VLAN>
<VLAN_ID ua="rw"> 2 </VLAN_ID>

</flat-profile>


Network Link Redundancy

Folow these steps to create a Link redundancy in a server with two ethernet cards in Debian 4.0Etch.

– 1. apt-get install ifenslave (ifenslave-2.6)

– 2. Create a file called aliases-bond in /etc/modprobe.d/ with the next content:

|alias bond0 bonding|

|options bond0 mode=1 arp_internal=2000 arp_ip_target=”the gateway”|

– 3. load bonding with this command -> modprobe bonding

– 4. add “bonding” to /etc/modules

– 5. Edit /etc/network/interfaces

|auto bond0|

|iface bond0 inet static|

|pre-up modprobe bond0|

|hwaddress ether “the mac address of one of the ethernet card”|

|address “ip address”|

|netmask “subnet mask”|

|gateway “gateway”|

|dns-nameservers X.X.X.X  X.X.X.X|
|up ifenslave bond0 eth0 eth1|

|down ifenslave -d bond0 eth0 eth1|

It Works!!

😉


%d bloggers like this: