KB ID 0001310 Dtd 14/05/17

Problem

In Part One we deployed our offline Root CA Server, now we are going to deploy a ‘Certificate Revocation Location’ server.

Solution

Before you start:

Create a DNS record for ‘pki‘ that points to the IP address, that you will have the CRL web server hosted on.

I’m installing my CRL server on a separate web server because thats good practice. Starting with a domain joined member server, launch Server Manager > Manage > Add Roles and Features.

Role Based > Next > Select the Local Server > Next.

Select Web Server IIS > Add Features > Next > Next.

Next > No additional features are required > Next.

Next > Install > Close.

Create a Folder called PKI on the Root of your web server and share it as PKI$ (The dollar denotes hidden share).

Set the share permissions as follows;

• SYSTEM: Full Control
• Domain Admins: Full control
• Cert Publishers: Change
• Servers That Will Publish CRLs: Full Control
  

Launch Internet Information Services (IIS) > Server-name > Sites > Default Web Site > Add Virtual Directory.

• Alias: PKI
• Physical Path: C:\PKI

Select your new PKI directory > Edit Permissions.

• Cert Publishers: Modify.
• DefaultAppPool: Read and Execute.

Note: You cannot browse to DefaultAppPool > Change the source to local computer-name > type in the username ‘IIS AppPool\DefaultAppPool’.

For your PKI  Virtual Directory select ‘Configuration Editor’.

System.webServer > Security > requestFiltering > allowDoubleEscaping > Change to ‘True’ > Apply.

Now select ‘Directory Browsing’.

Enable.

At this point I copy in the .crl file you exported from your Offline Root CA. (I also copy in the RootCA certificate, so I know where I can get a copy!)

When you setup your CA Servers in the CAPolicy.inf file theres a section of the ‘Legal Policy Statement’ and the URL I used points to this server as well, (it was http://pki.cabench.com/pki/cps.txt). So create the cps.txt file in the same directory. To decide what text will go in the file, read RFC 7382.

The next most logical step depends on whether you are building a two tier, or three tier PKI environment. If it’s a three tier, then you are going to deploy your Intermediate Sub CA server next. If it’s a two tier then you are going to deploy your Issuing CA next.

Related Articles, References, Credits, or External Links

NA

KB ID 0001311 Dtd 15/05/17

Problem

Last Friday, the IT world was hit by another attack, WannaCry is a Ransomware infection, that exploits a hole in the windows SMB Protocol.

This hole was patched back in March, (Security update MS17-010) so if your, (windows update supported systems) have updates enabled, you will probably already be protected.

Why were big organisations like the NHS hit? Primarily because they have systems that are no longer supported, (or patched) by Microsoft. e.g. Windows XP, (support ended in 2014), and Windows Server 2003, (support ended in 2015). It happens because organisations have software that cannot run on more modern operating systems, so instead of migrating away from the software, Trusts continue to run old operating systems.

Solution

WannaCry Removal

If you are already infected, disconnect your affected machines from the network, Kaspersky has a tool that you can use.

Ransomware Removal

Microsoft Patches Windows XP and Server 2003

Although they have no requirement to do so, Microsoft has released patches for these legacy operating systems;

MS17-10 KB4012598 (WannaCry Patch)

Additional Steps

1. Enable Windows Updates and wherever possible set it to automatically install updates. If you are a corporate customer, then get together a patching policy that has security updates tested and rolled out, in a matter of days.
2. Backup your machines, the most effective defence if having your files backed up. So if you are infected, you can simply roll back to before the infection, and protect your machines.
3. Be vigilant: Don’t click attachments in Emails unless you are 100% sure they are genuine.
4. Local Firewalls: Turn them on (Start > Run > Firewall.cpl {enter}).
5. Corporate firewalls: Block all inbound TCP 139 and TCP 445 traffic
6. Run up to date AntiVirus and AntiMalware.
7. Dont pay the ransom, don’t engage with the perpetrators.

Related Articles, References, Credits, or External Links

NA

KB ID 0001312 Dtd 15/05/17

Problem

Following on from Part Two, now we have an offline Root CA, and a CRL server, our next step is defined by our PKI design, are we three tier, or two tier? (Look in Part One for a definition).

Solution

As previously mentioned, Microsoft just treats Intermediate CAs and Issuing CA's as the same thing (SubCAs). So the next step is identical for either. But I would suggest one difference, If I was deploying an Intermediate CA, I would have "LoadDefaultTemplates=0" in the CAPolicy.inf file, and for an Issuing server I would not, (that's just my personal preference).

I'm going to continue this piece for a two tier PKI deployment. And my next SubCA will be an Issuing CA.

Create your SubCA CAPolicy.inf file and save it to C:\Windows

[Version]
Signature="$Windows NT$"
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://pki.cabench.com/pki/cps.txt
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=15
CRLPeriod=weeks
CRLPeriodUnits=1
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0

Launch Server Manager > Manage > Add Roles and Features.

Role Based > Next > Select the Local Server >Next > Active Directory Certificate Services > Add Features > Next.

No additional Features are Needed > Next > Next > Select Certification Authority > Optional*: Select Certificate Authority Web Enrolment > Next.

*Note: This gives you the nice registration website for certificates.

Next > Install > Close.

Configure Active Directory Certificate Services.

Next > Select 'Certification Authority' and ' Certificate Authority Web Enrolment', if you selected it above > Next > Enterprise CA > Next.

Subordinate CA > Next > Create New Private Key > Next > Change the Hash algorithm to SHA256 > Next.

Give the CA a sensible Name > Next > Select 'Save certificate request to a file on the target machine' > Next.

Next > Next > Install > Close.

Note: The warning is fine, we haven't installed the certificate yet, that's our next step

Copy your certificate request file, (ending .req) and put it on your floppy drive. 

Note: I'm aware we are in the 21st century! I'm using virtual floppy drives.

Present the floppy drive to your offline Root CA and execute the following command;

When prompted with the CA name > OK > Take a note of the RequestID you need this in a moment. (Leave the command window open!)

Open the Certificate Services Management Console > Server-name > Pending Requests > Locate your request > Issue the certificate.

Back at command line issue the following command;

When prompted with the CA name > OK.

Check the certificate has appeared on your floppy drive, and present that back to your SubCA server > Open the Certificate Services Management console > Server-name > All Tasks > Install CA Certificate > Locate the cert  > Open.

Start the Service (If it errors at this point you may have a problem with your CRL server see the following link for a temporary workaround until you can fix the CRL).

Certificate Services – Disable CRL Checking

Troubleshooting: Open an MMC Snap-in and Add the Enterprise PKI snap-in to point you towards problems.

At this point I like to copy the Sub CA Cert to C:\Windows\Sytem32\Certsrv\CertEnroll. You should see the CRL for the SubCA already there (and maybe a delta CRL like the image below).

Now we are going to publish those into AD, open an administrative command window and issue the following commands;

cd  C:\Windows\Sytem32\Certsrv\CertEnroll
certutil -dspublish -f SubCA.crt SubCA
certutil –addstore –f root SubCA.crt
certutil –addstore –f root SubCA.crl
certutil -dspublish  SubCA.crl

Restart Certificate Services;

net stop certsvc
net start certsvc

Back in Certificate Services > Properties > Extension > Remove the http and file entries. NOT the ldap or the one that's pointing to C:\Windows.

With CRL Distribution Point showing > Add > Type in http://pki.{your-domain}/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl 

Note: You can add the variables in to avoid typing them, DON'T FORGET to put .crl on the end!

OK.

With your new URL selected, tick;

• Include in CRLs. Clients use this to find DeltaCRL locations.
• Include in the CDP extension of issued certificates.

Apply > OK > Services will Restart.

Once Again, click Add, this time type in the UNC path to your hidden PKI share on your CRL Server, e.g.

\\pki.{your-domain}\pki$\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

Note: You can add the variables in to avoid typing them, DON'T FORGET to put .crl on the end!

OK.

With your UNC path selected, tick;

• Publish CRLs to this location.
• Publish Delta CRLs to this location.

Apply  > OK > Services will restart.

That's your PKI environment stood up and ready to go, you may also want to setup OCSP, see the following article;

Microsoft Certificate Services Configuring OCSP

You can now issue certificates, some of the things you might want to consider setting up are;

Windows Server 2012 – Enable LDAPS

Deploying Certificates via ‘Auto Enrollment’

Windows Server 2012 – Secure RDP Access with Certificates

Install and Configure Certificate Enrolment Policy Web Service

Related Articles, References, Credits, or External Links

NA

KB ID 0001313 Dtd 22/05/17

Problem

It's a common problem, you want to connect one site to another and still have them on the same layer 2 network.

As you can see above both the routers at the bottom are in the 172.16.1.0/24 network, let's assume they are clients in the same layer 2 network how would you connect them?

Solution

Option 1: xconnect over L2TP

All the 'heavy lifting' is done on the SiteA and SiteB routers. We will start with Site A. You create a pseudowire class, and specify the interface that will do the encrypting .

!
pseudowire-class CL-XCONNECT
 encapsulation l2tpv3
 protocol none
 ip local interface Ethernet 0/0
!

Set the public (internet facing)  IP.

!
interface Ethernet0/0
 ip address 192.168.200.1 255.255.255.0
 no shut
!

Finally setup the private, (LAN facing) interface, and specify the 'other side' of the encryption tunnel, (the internet facing interface at SiteB.) Then setup a unique ID.

!
interface Ethernet0/1
 description LAN
 no ip address
 xconnect 192.168.100.1 1 encapsulation l2tpv3 manual pw-class CL-XCONNECT
 l2tp id 1 2
!

Site B is the mirror opposite;

!
pseudowire-class CL-XCONNECT
 encapsulation l2tpv3
 protocol none
 ip local interface Ethernet 0/0
!
interface Ethernet0/0
 ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/1
 description LAN
 no ip address
 xconnect 192.168.200.1 1 encapsulation l2tpv3 manual pw-class CL-XCONNECT
 l2tp id 2 1
!        

To test you can use the 'show l2tun tunnel all' command

Option 2: MPLS

Hang about! Isn't MPLS very complicated? Well not for layer two networks. There are certain steps we have to take;

Backbone Routers (That will be Site A, SiteB, AND the ISP one.) We will need a loopback address, (don't forget these addresses will need advertising into whatever routing protocol is running over the backbone).

Site A

!         
interface Loopback1
 ip address 192.168.255.4 255.255.255.255
!

Site B

!         
interface Loopback1
 ip address 192.168.255.3 255.255.255.255
!

ISP

!
interface Loopback1
 ip address 192.168.255.2 255.255.255.255
!

Backbone Routers: Enable MPLS on all the interfaces that will pass traffic;

Site A

!
interface Ethernet0/0
 ip address 192.168.200.1 255.255.255.0
 mpls ip
!

Site B

!
interface Ethernet0/0
 ip address 192.168.100.1 255.255.255.0
 mpls ip
!

ISP

!
interface Ethernet0/0
 ip address 192.168.100.254 255.255.255.0
 mpls ip
!
interface Ethernet0/1
 ip address 192.168.200.254 255.255.255.0
 mpls ip
!

Client facing interfaces:, (these can also be sub interfaces, if you are trunking). Need xconnect setting up, the syntax is as follows;

xconnect {ip of target loopback) {id-must-match-other-end} encapsulation mpls

Site A

!
interface Ethernet0/1
 description LAN
 no ip address
 xconnect 192.168.255.3 3000 encapsulation mpls
!


Site B

!
interface Ethernet0/1
 description LAN
 no ip address
 xconnect 192.168.255.4 3000 encapsulation mpls
!

Option 3: VPLS

Virtual Private LAN Service, is pretty much designed to do exactly what we want, it let's us stretch layer two networks to multiple points, let's assume both my network segments (above) need to be in VLAN 300, so they share the same broadcast domain.

The setup process is similar to MPLS, you create a loopback interface on the backbone routers, advertise those addresses into the routing protocol of your choice, then you enable 'mpls ip'. But then ,on the routers that face the clients you need to create a 'vfi' (virtual forwarding instance).

interface Vlan300
 mtu 1600
 xconnect vfi VPLS-300

Note: Obviously the physical interface connected to the clients, needs to be in VLAN 300, and don't forget (at both ends), to make sure that vlan 300 is up (no shut).

To Test:

SiteA#show mpls l2transport vc 300

Local intf     Local circuit              Dest address    VC ID      Status
-------------  -------------------------- --------------- ---------- ----------
VFI VPLS-300   VFI                        192.168.255.3     300        UP

and

SiteA#show mac address-table vlan 300

Legend: * - primary entry
        age - seconds since last seen
        n/a - not available
        S - secure entry
        R - router's gateway mac address entry
        D - Duplicate mac address entry

Displaying entries from active supervisor:

     vlan   mac address    type   learn    age                 ports
----+----+---------------+-------+-----+----------+-----------------------------
*     300 0050.56ab.2eae  dynamic  Yes       90     VPLS peer 192.168.255.3(2:1)
*     300 0050.56ab.12ee  dynamic  Yes      340     VPLS peer 192.168.255.3(2:1)

In the bottom example, you can see MAC addresses being learned form the 'other' sire of the VPLS link.

Related Articles, References, Credits, or External Links

NA

KB ID 0001314 Dtd 27/05/17

Problem

Out of the box, Exchange 2016 (&2013) has five receive connectors. Three for the frontend transport service and two for the mailbox transport service.

• Front End Transport Service: Does not alter, inspect, or queue mail. It is the first port of call for ALL mail coming into (and out of) the Exchange organisation. This service creates THREE receive connectors All are bound to 0.0.0.0 0.0.0.0, and all IPv6;
  • Client frontend {Server-Name} : listens on TCP 587 (Secure SMTP). It is generally only used for POP clients that are ‘Authenticated’, so are then able to send mail though the Exchange Org.
  • Default frontend {Server-Name}: Listens on TCP 25 (SMTP) and will allow Anonymous connections (by default). Note: Your  incoming mail, (from the public internet,) usually comes in through this connector.
  • Outbound proxy frontend {Server-name}: Confusingly this is actually a send connector and it’s only used if you have set your ‘send connector’ to proxy though one of your Exchange servers.
• Mailbox Transport Service: Does NOT receive mail from clients it, (as the name implies),  routes mail from/to mailboxes from/to the frontend transport service. It is further broken down into;
  • Mailbox Transport Submission Service:
  • Mailbox Transport Delivery Service:
• This creates two more receive connectors;
  • Client Proxy {Server-Name}: Listens on TCP 465.
  • Default {Server-Name}: Listens on TCP Port 25 (or 2525).

So what if someone ‘fiddles’ with them, or you are unsure if they are setup correctly?

Solution

Default Receive Connectors Settings

If you just want to check the settings in the Exchange Admin Center;

• Client Frontend {Server-Name}
  • General Settings;
    • Name: Client Frontend {Server-name}
    • Connector Status: Enable
    • Protocol logging level: None
    • Maximum receive message limit size (MB): 36
    • Maximum hop local count: 12
    • Maximum hop count: 60
  • Security Settings;
    
    • Transport Layer Security (TLS)
    • Basic Authentication
      • Offer basic authentication only after starting TLS
    • Integrated Windows Authentication
  • Permission Groups;
    
    • Exchange Users
  • Scoping;
    
    • Remote network settings;
      • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      • 0.0.0.0-255.255.255.255
    • Network adaptor bindings;
      • (All Available IPv6) Port 587
      • (All Available IPv4) Port 587
    • FQDN: {The internal FQDN of your server}

• Client Proxy {Server-Name}
  • General Settings;
    • Name: Client Proxy {Server-name}
    • Connector Status: Enable
    • Protocol logging level: None
    • Maximum receive message limit size (MB): 36
    • Maximum hop local count: 12
    • Maximum hop count: 60
  • Security Settings;
    
    • Transport Layer Security (TLS)
    • Basic Authentication
      • Offer basic authentication only after starting TLS
    • Integrated Windows Authentication
    • Exchange Server Authentication
  • Permission Groups;
    • Exchange Servers
    • Exchange Users
  • Scoping;
    
    • Remote network settings;
      • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      • 0.0.0.0-255.255.255.255
    • Network adaptor bindings;
      • (All Available IPv6) Port 465
      • (All Available IPv4) Port 465
    • FQDN: {The internal FQDN of your server}

• Default {Server-Name}
  • General Settings;
    • Name: Default {Server-name}
    • Connector Status: Enable
    • Protocol logging level: None
    • Maximum receive message limit size (MB): 36
    • Maximum hop local count: 12
    • Maximum hop count: 60
  • Security Settings;
    
    • Transport Layer Security (TLS)
    • Basic Authentication
      • Offer basic authentication only after starting TLS
    • Integrated Windows Authentication
    • Exchange Server Authentication
  • Permission Groups;
    • Exchange Servers
    • Legacy Exchange Servers
    • Exchange Users
  • Scoping;
    
    • Remote network settings;
      • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      • 0.0.0.0-255.255.255.255
    • Network adaptor bindings;
      • (All Available IPv6) Port 2525
      • (All Available IPv4) Port 2525
    • FQDN: {The internal FQDN of your server}

• Default Frontend {Server-Name}
  • General Settings;
    • Name: Default Frontend {Server-name}
    • Connector Status: Enable
    • Protocol logging level: None
    • Maximum receive message limit size (MB): 36
    • Maximum hop local count: 12
    • Maximum hop count: 60
  • Security Settings;
    
    • Transport Layer Security (TLS)
      • Enable domain security (mutual Auth TLS)
    • Basic Authentication
      • Offer basic authentication only after starting TLS
    • Integrated Windows Authentication
    • Exchange Server Authentication
  • Permission Groups;
    • Exchange Servers
    • Legacy Exchange Servers
    • Anonymous
  • Scoping;
    
    • Remote network settings;
      • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      • 0.0.0.0-255.255.255.255
    • Network adaptor bindings;
      • (All Available IPv6) Port 25
      • (All Available IPv4) Port 25
    • FQDN: {The internal FQDN of your server}

• Outbound Proxy Frontend {Server-Name}
  • General Settings;
    • Name: Outbound Proxy Frontend {Server-name}
    • Connector Status: Enable
    • Protocol logging level: Verbose
    • Maximum receive message limit size (MB): 36
    • Maximum hop local count: 12
    • Maximum hop count: 60
  • Security Settings;
    
    • Transport Layer Security (TLS)
      • Enable domain security (mutual Auth TLS)
    • Basic Authentication
      • Offer basic authentication only after starting TLS
    • Integrated Windows Authentication
    • Exchange Server Authentication
  • Permission Groups;
    • Exchange Servers
  • Scoping;
    
    • Remote network settings;
      • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      • 0.0.0.0-255.255.255.255
    • Network adaptor bindings;
      • (All Available IPv6) Port 717
      • (All Available IPv4) Port 717
    • FQDN: {The internal FQDN of your server}

Recreating Your Exchange Receive Connectors From Scratch

Note: We are talking about the default receive connectors here, if you have created any of you own, for mail relaying from a device for example, you would need to manually recreate these. Below we are going to delete all the default connectors, and recreate them with a PowerShell Script.

Download Recreate Default Exchange Receive Connectors Scripts

Optional: Take a backup of the default receive connectors settings to a text files. Run the ‘Backup-Connector-Settings.ps1‘ script. This will dump the settings to the root of the C: drive in ‘Current {Server-Name} {Connector-Name}.txt’ format.

You can now delete the default receive connectors (Warning: Notice I said default  receive connectors, this may or may not be all the connectors). 

Recreate the Default Receive Connectors: Run the  ‘Create-Default-Receive-Connectors.ps1‘ script. 

Optional: You can now output the settings of the new connectors, (why? So you can compare them to your original settings.) Run the ‘AFTER-Connector-Settings.ps1’ script. This will dump the settings to the root of the C: drive in ‘Receive {Server-Name} {Connector-Name}.txt’ format.

You can now compare differences, the only differences are usually the creation date, and the GUID.

Related Articles, References, Credits, or External Links

NA

KB ID 0001315 Dtd 31/05/17

Problem

I have to say before I start, that most of the credit for this article lies with Allen White from www.techieshelp.com. Who gave me the three most important pieces of information that you need to migrate your WordPress site. 

Three Things You Need;

• The contents of your wp-content directory.
• The contents of the root of your site.
• A backup of your database, (this is a lot easier than you think).

Now there may be a couple of exceptions, for example, if your site runs https you might also need a copy of your certificates, and if you have any sub-folders in your site you will also need a copy of those folders as well.

Would it be easier to get an application or plugin to do this for me? Well I use UpdraftPlus and I also use BackWPup (both of which are free). But to be honest you just need access to the site from an FTP/SFTP client (I prefer FileZilla, again because it's free), or you can simply use WinSCP, (again free).

Solution

Before You start: You need a WordPress server setup with a blank install of WordPress ready to accept your data. I'm not covering that in this article. This article is primarily to cover migrating your site contents. (Though watch this space, I'm going to post a full, WordPress install on LEMP article soon).

To make things simple, set the new database with the same name, username, and password, (get these from your live sites wp-config.php file).

I would also update your live site to the latest version of WordPress before you migrate, Or when you connect you may see a dialog about updating the database and have a bit of downtime.

Backup Your WordPress Data

First connect to your live website and download a copy of your 'wp-content' folder;

Note: The more eagle eyed among you will notice I've got an 'extra' folder in my site, called 'KB'  that folder will also need downloading.

Now download ALL the files in the root of your website.

Now to get a copy of your database, you will need to know what it's called, if you have forgotten, open your wp-config.php file (it's in the root of your website,) with a text editor, and look for the following;

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'NAME-OF-YOUR-DATABASE');

You will also need the root password for your SQL installation, it will be blank unless you have changed it when you installed MySQL or MariaDB, (by running 'sudo mysql_secure_installation').

Connect to your server via SSH or log directly onto it's console; and run the following command;

Supply the password and a backup of the database will appear in the folder you are in, (download that also).

I don't know the SQL Root Password? You can get the username and password that the SQL user uses, (again from the wp-config.php file, and use (mysqldump -u {username} -p {password} {database name} > data-dump.sql).

Restoring Your WordPress Data

Database

Now connect to your new WordPress site with your FTP/SFTP client, and upload the data-dump.sql file.

Connect to your site via SSH, and navigate to the directory you have just uploaded the data-dump.sql file to. You can import the data into your new database with the following command;

Note: The command is the same as above, but note this time you use the 'less than' symbol.

Supply the root password for the destination SQL server.

Data

Restore the contents of your wp-content folder that you backed up earlier directly over the top of the wp-content directory on the new server.

Repeat for any other folders BUT NOT wp-admin or wp-includes.

What this does;

• Restores your theme(s) and CSS files.
• Restores your plugins.
• Restores your WordPress users, and passwords
• Restores all your posts/pages and media
• Restores all comments.

Finally restore the files that are in the root of your website, (except the wp-config.php file, as I'm assuming the new site already has a new wp-config.php file with all the right settings in it). 

Can this be done any quicker? Yes if you use the BackWPup plugin, you can get it to do a backup of SQL for you, and backup all the files and folders in your site. I back these up to DropBox automatically, so every day they are already on my laptop, this saves me having to download everything. It also means I can rebuild my website if my web server breaks.

Related Articles, References, Credits, or External Links

NA

KB ID 0001318 Dtd 17/06/17

Problem

At the time of writing this site is running on CentOS7 LAMP (Linux Apache MySQL and PHP). Well I'm actually using MariaDB not MySQL as it's 'supposed' to be a little faster, but they are similar enough to be accepted. I'm planning to migrate to Ubuntu 17 LEMP (Linux 'EnginX' MySQL and PHP) again with MariaDB. As the site is getting more traffic I want to utilise the better performance of nginx (I know I called it EnginX above but LNMP stack doesn't sound so good, and nginx is 'pronounced 'engine x').

So the following series of articles will be how to install nginx, MariaDB, PHP and WordPress.

Solution

Installing Linux

You have essentially two choices, do what most people do and go to a hosting company and rent a VPS, (virtual private server) for a monthly fee. Then when you set it up you can select what flavour of Linux you require, press go, and by the time you have had a coffee, they will have emailed you the IP and logon details, and Linux is already installed for you. You can of course install linux on your own server, and as long as you can make it publicly available use that.

The main difference is, if your hosting company build it for you, the root user will be enabled and you will connect with the root user and password. If you build your own server you will connect with user account and root will be disabled. If you know nothing about Linux that means to execute any system level commands you need to prefix them with 'sudo' (or type su and enter the root password). If you are logged in as root and use sudo it does not make any difference so I will prefix all the commands I use below with sudo to make things easier, just remember the first time you use sudo it will ask for your password again.

Why Ubuntu? Well I use CentOS presently, but while doing research there was little information on getting nginx and PHP7 running on CentOS, but there was for Ubuntu that's the only reason I'm switching OS.

Update The Server

It might have been built from an image, but that does not mean that the image was up to date, thankfully that's simple to do, run the following command to see if there's any updates.

In my example theres two updates, I can upgrade to them with the following command, (you may be asked to answer 'y' for yes);

Change the Linux SSH Port

I've had servers compromised in the past so let's start with some basic security, I always change the default SSH port, in this example I'll use 2223 (instead of the default SSH port of 22).

Edit the SSH config file;

Uncomment and change the Port number to something other than 22, (make it above 1024 to be on the safe side, I'm using 2223).

Note: If you built your own server, and you are allowing root access to SSH you may want to see the following article;

Ubuntu: Allow SSH access for 'root' user

Protect Your Web Server With a Firewall

Traditionally Linux uses iptables, (or FirewallD for CentOS.) I like iptables, because like all things Linux I worked out how to set it up, and wrote it down. Ubuntu has a 'front-end' to iptables thats still command driven, it's called UFW (uncomplicated firewall). Which I didn't want to learn about because I use iptables! But in all honestly UFW is so simple it's painfully easy.

I want to allow TCP 80 (http), TCP 443 (https), and TCP 2223 (for my SSH server). And that's it, block everything else incoming, allow the server to speak out, and secure the server.

Run the following commands;

sudo ufw default allow outgoing
sudo ufw default deny incoming
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 2223/tcp

Then enable the firewall, and set it so that it starts when the server reboots, you can also check its status for peace of mind;

sudo ufw enable
sudo ufw status

Install and Configure MariaDB

Like most things Linux, installing MariaDB is simple, run the following command;

Then make sure it's up and running;

Note: If it looks like it's frozen, press Ctrl+C to get the cursor back

Set MariaDB to start when the server restarts;

Secure MariaDB: At the moment MariaDB will have a blank root password, (it has its own root user). So to secure it you simply run;

Note: It immediately asks for a password, (it will be blank so hit (Enter},) answer 'Y' to set a root password, set a fresh one (you will need it in a minute, so remember what it is!) Then accept all the defaults by just pressing {Enter}.

Create Your WordPress Database

WordPress needs a database, to get WordPress talking to MariaDB (or MySQL) you need three things;

• A database name.
• A username to access the database.
• A password for that user.

So in the following example I will use;

• Database Name: PETESDATABASE
• Username: petesuser
• Password: P@ssword12345

Execute the following commands one by one;

sudo mysql -u root -p
{Enter the root password you just set for MariaDB}
CREATE DATABASE PETESDATABASE;
CREATE USER 'petesuser'@'localhost' IDENTIFIED BY 'P@ssword12345';
GRANT ALL ON PETESDATABASE.* TO 'petesuser'@'localhost' IDENTIFIED BY 'P@ssword12345';
FLUSH PRIVILEGES;
exit

In Part Two (coming soon) we will install nginx and PHP.

Related Articles, References, Credits, or External Links

NA

KB ID 0001317 Dtd 02/06/17

Problem

First of all not being able to connect to your Ubuntu server via SSH as root is 'by design', and it's a perfectly good security measure. I do find it interesting that every hosting company I ever used, spin up a new machine and then email me the root password and they've enabled it anyway?

I needed to enable this recently and the internet is full of posts saying 'just edit the config file, and restart the service'. What they don't tell you is that the root user is disabled by default, even with a valid password, IT STILL WONT WORK!

Solution

Connect to your Ubuntu machine, and reset the root user password, (so you know what it is).

As shown you will need to enter your password first, then enter and confirm a new root password.

Then 'unlock the root account';

Note: If you ever want to 'lock' it again, use (sudo passwd -l root).

Now you can edit the sshd config file;

Locate the line 'PermitRootLogin' and change it so it ONLY says yes (as below).

Note: Here I'm also changing the SSH port (to 2223 in this example, from the default port of 22), I usually change the default SSH port.

Now finally, restart the SSH Daemon, (that always looks like it's spelled incorrectly!) With the following command;

Don't forget if, (like me) you changed the port, you will need to specify that in your client connection software (i.e. PuTTy or RoyalTSX).

Related Articles, References, Credits, or External Links

NA

KB ID 0001316 Dtd 02/06/17

Problem

This week I had a client who had a head office and three satellite sites. They had old firewalls (a 5510 and 5505's), and my firm had installed FTTC circuits, into the sites for them. My job was to reconfigure the firewalls and the site to site VPN tunnels (each site had a tunnel to the other sites), then disconnect their old ADSL connections, change the firewalls public IP, then connect to the shiny new FTTC circuits.

To save on downtime, my plan was to create new tunnel-groups for all the new IP addresses with the same shared-secrets, then add the new IPs as an alternative crpytomap peers. That way I could migrate all the sites and , the only downtime would be when I changed the firewall to the new IP and plugged into the new router, cool eh? 

All was going well until I hit the third satellite site and tried to add a second VPN peer like so...

It returned this error;

 ERROR: Multiple Peers can be specified only with originate-only connections

Solution

None of the other sites had done this, and I've done redundant VPN configs many times, (see the failover ISP article at the bottom of the page.) Never had I seen this error?

I made the 'mistake' of adding;

A few minutes later I got an email "That sites VPNs have all gone down?". On investigation the remote site thought the tunnel was up, (it was even encrypting and decrypting layer two traffic?) The main site didn't even say phase one was attempting. I changed all the crypto maps back to a single peer IP and removed the 'connection-type originate-only' from all the crypto entries as well, everything started working again?

I found a bug report for something similar (CSCsd21514) but that affected version 7, I did a show version on the firewall it was running 7.2 (eeurgh.) I updated it to 8.3, (yes I could go to 9 but lets not tempt fate). Problem disappeared, it accepted the redundant VPN config and everything worked, (I flipped the circuit on this problem firewall this morning and downtime was less than 10 seconds).

Related Articles, References, Credits, or External Links

Cisco ASA/PIX Redundant or Backup ISP Links with VPNs

KB ID 0001319 Dtd 17/06/17

Problem

Back in part one we deployed the server and setup our database, now we are going to setup our nginx web server, and get it to work with PHP.

Solution

Install NGINX

To get the nginx package installed;

Now ensure nginx is set to start automatically with the server, and manually start the service.

sudo systemctl enable nginx
sudo systemctl start nginx

Make sure it's up and running;

Now the test if the web server is up and running, get the IP address (ifconfig), and browse to the IP address and you should see the nginx welcome page.

Note: If you get a 403 error, issue a 'cp index.nginx-debian.html index.html' command and try again.

Install PHP7

Run the following command;

Start the service and check it's running;

sudo systemctl start php7.0-fpm
systemctl status php7.0-fpm

Now to enable nginx to pass information to the FastCGI server (allows php scripts to be executed outside the web server). Your nginx install should be taking its settings from a configuration file '/etc/nginx/sites-enabled/default'.  To make sure execute an 'nginx -t' command. We need to edit that file.

Note: Below you will want to change the values in red to match your server, and the values in blue are optional. You can remove all the contents of the existing file and paste in the following.

To Edit;

# Default server configuration

server {
listen 80 default_server;
listen [::]:80 default_server;

# Set The Root Directory for the Entire Website

    root /var/www/html/;

# Adding index.php to the list if you are using PHP

    index index.html index.htm index.nginx-debian.html;

# Add The Server IP Address or FQDN

    server_name 123.123.123.12;

# Auto Remove and re-write .htm from requests (to maintain old back-links)

    rewrite ^(/.*)\.htm(\?.*)?$ $1$2 permanent;

# The following does the WordPress Rewrites for the permalinks

      location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$args;
      }

# Allow the user to Cache Static files for 1 year

      location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
        expires 365d;
      }

# pass PHP scripts to FastCGI server

     location ~ \.php$ {
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
    include snippets/fastcgi-php.conf;
  }
}

Now save and exit the file, make sure its ok by running;

Providing it says 'successful' restart nginx.

Testing PHP7 Works

Make sure we are up and running on version 7.

Now just to be sure we are going to create a test page,  put in some PHP and make sure it works.

Create a file;

Pete in the following;

Save and exit the file, then browse to http://{ip-address}/test.php it should look something like the image below.

It's considered bad practice to have that file on the server, so lets delete it with the following command;

That's us with a fully functioning nginx web server thats processing PHP, in part three we will install WordPress, connect it to the database we made easier, and then you will be ready to start posting.

Related Articles, References, Credits, or External Links

NA

KB ID 0001320 Dtd 04/06/17

Problem

So you want your own web server running WordPress? Previously in Parts One and Two, we setup a new Linux box, and got all the prerequisites installed. Now it's time to deploy WordPress.

Solution

There are a few extra bits we need to add to the PHP installation before we setup WordPress, to get those installed run the following command;

Then restart PHP;

Download and Install WordPress.

We are going to use the /tmp directory and download wordpress into that, you don't need to worry about what version to download because the good folk at WordPress use the same URL for the latest version and keep it updated.

cd /tmp
curl -O https://wordpress.org/latest.tar.gz

If you didn't already guess from the file extension, the WordPress files are compressed, we need to 'extract' them.

WordPress has a file called wp-config.php in the root of the website that we will be editing in a while, so we are going to create that file by using the 'sample' file provided.

And, to save you hassle, (in future) we will pre-create the folder that WordPress will need when you eventually come to upgrade it, it will also, (after we have moved it in a minute),  have the correct permissions.

Now we have all the files, but they are in the WRONG PLACE, they are all sat in the /tmp directory, but we want them in the root of your website, i.e. the  /var/www/html  directory. So to copy them (in bulk).

You won't see anything happen, but if you have a look in your /var/www/html directory, the files will be there.

To set the correct permissions, execute the following commands;

sudo chown -R www-data /var/www/html
sudo find /var/www/html -type d -exec chmod g+s {} \;
sudo chmod g+w /var/www/html/wp-content
sudo chmod -R g+w /var/www/html/wp-content/themes
sudo chmod -R g+w /var/www/html/wp-content/plugins

Configuring WordPress

Run the following, and it will return a large block of incomprehensible text; 

COPY THAT TEXT TO THE CLIPBOARD (Yours will look different to the one above!)

Now edit the wp-config.php file, when its open go the the section that 'looks like' the text you copied above and paste your text over the top.

While you are still in the file, you need to enter the database settings you setup in Part One. Near the top of the file you will see there's a space for database name, username and password.

Enter your settings;

Save and close the file.

Now if you browse to your website, you should see the WordPress language selection, select your language and enter the settings and logon details for your website.

You will be logged into your sites admin panel (http://your-site/wp-admin). From here you can install new themes, add new plugins, and create new posts. Your website will now be 'live'.

If you are migrating data from another WordPress site into this one, see the following article;

Migrating WordPress From One Server To Another

If you are unsure on how to setup DNS records for your website see the following article;

Setting up the Correct DNS Records for your Web or Mail Server

Related Articles, References, Credits, or External Links

NA

KB ID 0000467 Dtd 10/06/17

Problem

Q: What is Folder Redirection?

A: Essentially you can take folders that hold things like your "My documents" or your "Favorites" folder, and put them out on a network server, which is great if you want to back that sort of information up for disaster recovery.

Q: What's the difference between this and a roaming / roving profile?

A: Folder redirection keeps information on a server and you access it remotely, Roaming profiles are designed to sync that information (and your WHOLE user profile) backwards and forwards to a network share as your users logon and log off.

Q: What folders can be redirected?

A: From Server 2008 onwards, and with Windows 7 clients and above, the following can be redirected.

• AppData(Roaming)
• Desktop
• Start Menu
• Documents
• Pictures
• Music
• Videos
• Favorites
• Contacts
• Downloads
• Links
• Searches
• Saved Games

Solution

1. On a server create a folder to hold the redirected data, In this case you will notice I've called my share Redir$ (The dollar sign just means it's a hidden share, and can't be seen if people are network browsing).

Folder Redirection: Permissions for the Root Folder

2. Set the share permissions to Everyone: Full Control (Don't worry we will secure it with NTFS permissions).

3. On the security tab of the folder click advanced.

4. For Server 2012 / 2016 you should see something like this;

For Server 2008 and older it should look more like this;

5. For server 2012 / 2016 Disable Inheritance and select 'Convert'.

For 2008 and older, untick "Include Inheritable permissions from this objects parent" > At the warning click "Add".

6. Select each User in turn (You will need to add the Everyone group) > Then Edit the permissions so that they are as follows.

• CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only).
• System - Full Control (Apply onto: This Folder, Subfolders and Files).
• Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files).
• Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only).
• Everyone - List Folder/Read Data (Apply onto: This Folder Only).
• Everyone - Read Attributes (Apply onto: This Folder Only).
• Everyone - Create Folder/Append Data (Apply onto: This Folder Only).

2012 / 2016

'Show Advanced Permissions'

2008 and older.

7. Now REMOVE BOTH the entries for USERS > Apply  > OK.

7. On your domain controller open the Group Policy Management Console, (Under Administrative Tools) and either create a new USER policy of edit one that already linked to the users you want to enforce this policy upon.

8. I prefer to create a new policy and call it something sensible so if there's a problem it's easy to find in the future.

9. Navigate to:

Locate the folder you want to redirect (In this case its just the documents folder) > Right click > Properties.

10. I'm going to redirect all my users documents to the one folder I created earlier, so I will choose basic.

Note: You can choose "Advanced" and redirect different groups folders to different locations.

Enter the path to the root folder AS A UNC PATH, DONT click the browse button and browse to it.

11. I'm going to accept the defaults on the settings tab, the option I've highlighted creates the folders with exclusive rights on the folders for the user in question and SYSTEM, so the domain admin had no access (this is OK, it's the same way user profiles work, you can still back them up).

12. Now as your users log on their folders will be redirected to the share you setup.

Backing up Redirected Folders

13. Even with exclusive rights you can still back this data up:

Related Articles, References, Credits, or External Links

Original Article written 22/06/11

KB ID 0000704 Dtd 15/06/17

Problem

Your ASA will (by default) update your AnyConnect clients to the latest client software when they connect. However you need to supply the ASA with the updated packages first.

Solution

1. Download the latest AnyConnect client package, from Cisco. The one you want will have a file extension of .pkg

AnyConnect 4

AnyConnect 3

2. Connect to the ASDM > Configuration > Remote Access VPN > Network (Client) access > AnyConnect Client Software > Add.

Note: On older versions of the ASDM you will find the option under > Network (Client) access > Advanced > SSL VPN > Client Settings > Add.

3. Select Upload > Browse to the software you downloaded > Select.

4. The file should upload to flash memory.

5. And it will tell you if it has been successful.

6. Select the new software and, using the ‘up arrow’ move it to the top of the list > Apply.

Note: At this point I also delete the old software packages.

7. Don’t forget to upload the packages for Linus and MacOS of you may see the following error;

The AnyConnect package on the secure gateway could not be located.

8. Remember to save the changes. File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Cisco ASA5500 AnyConnect SSL VPN 

Original article written: 02/11/12

KB ID 0001321 Dtd 17/06/17

Problem

Back in the day we just used the ‘At’ command to schedule a reboot, but starting with Server 2012 that was stopped! If you try it now you will see the following;

The AT command has been depreciated. Please use schtasks.exe instead

Solution

Launch Task Scheduler.

Create Basic Task.

Give the task a name, (and optionally a description) > Next > One time > Next > Enter the date and time for the reboot to occur > Next.

Start a program > Next > Program/Script = PowerShell > Add Arguments = Restart-Computer -Force > Next > Finish.

Related Articles, References, Credits, or External Links

NA

KB ID 0001116 Dtd 25/06/17

Problem

A few weeks ago I changed cars, I was pleased to see that the entertainment system in my new car could play music from SD card. These are cheap and can hold a Lot of songs, so rather than have my iPod in the car, I could simply drop music onto an SD card.

Which I did but, annoyingly non of the 'album artwork' was displayed, even though the music played fine. I did some Googling and read a few Audi forums, and finally got it to work.

Solution

Theres a lot of conflicting information in forums on how to get this to work, so I will just tell you how I got mine working.

• Car: Audi A6 (2013)
• MMI Version 3

SD Card Size: Has to be 32GB or less  - This is because it has to be formatted at FAT32, it's a limitation of the storage system not Audi or the SD Cards (Yes you can have more than 32GB FAT32 drives, thats a different argument).

To Check;

Mac OSX (right click > Get Info).

Windows (Right Click > Properties).

Why is there a problem displaying Album art?

Well, (and I'm making the assumption your mp3 files actually have album art embedded within them, (thats in the mp3 file, not in a different folder, if not get that sorted first!) The Audi will only display art if;

• It's less than 500x500 pixels in size.
• It's less than 254kb in file size (the image not the track!)

For example, below Im using the excellent, (and free) Mp3tag to look at this songs details, see the album art is 2000x2000 pixels, and is 409Kb in size. Try to play this in the car and the music will play but you will just see a generic 'musical note' instead of the album art.

Well that's OK, but manually resizing all your album art could take along time, (I've got a large music collection). To do that requires another brilliant free piece of software called Bliss, (download here). I'm using Mac but theres a Windows version as well.

Windows Alternative

If I'm in Windows I use Sense Mp3 Art Sizer;

Back to my mac..

Install and run the software, at this point it appears nothing has happened but you should see a large blue 'bl' at the top of the screen. Right click that, and it will open. Go to Settings.

Change the music location, so that it points to your SD card.

Under the cover art section click 'more'.

You now have the option to set the maximum size, set it to 500x500, and then set the maximum size to 256KB. Click Apply Rules an it should rattle its way though all the songs on the SD card. Depending on how many you have, this can take a while.

Notice once complete, when looking at the album art it has been resized, and should now show correctly in the car.

Additional Steps For Mac OSX Users.

Mac OSX has a habit of dropping some folders on the drive, and their names start with a fun stop. Normally that is not a problem, but you Audi will not like this, (typically is scrolls through all the songs and does nothing).

My Mac is set to show hidden folders, so you probably wont even be able to see them, to remove them open a terminal window. Execute the following two commands;

cd /volumes

ls

What this does, is shows you the names of the mounted volumes, mines got a simple enough name because I called it PETES-AUDI, yours might be something else, take note of what it's being called.

Then, change into the volume name for the card, change to match the name of yours, then issue three rm commands as shown below(rm is simply a remove command).

cd PETES-AUDI

rm -rf .f*

rm -rf .S*

rm -rf .T*

Then you can eject the SD card, and play it in the car.

Related Articles, References, Credits, or External Links

Original Article Written 17/12/15

KB ID 0001322 Dtd 27/06/17

Problem

I've lost count of the number of times this has happened to me! Most of my colleagues prefer to use the ASDM for remote management, but if (like me) you work at command line, then sometimes people <ahem> forget to generate the RSA keypair when deploying a firewall. Then even if SSH access and AAA is setup correctly, you still can't get in via SSH. Instead you see the following;

RoyalTS and RoyalTSX: ssh_exchange_identification: Connection closed by remote host.

PuTTY: PuTTY Fatal Error: Server unexpectedly closed network connection.

SecureCRT: Connection closed.

OSX/Linux: ssh_exchange_identification: Connection closed by remote host.

Now at command line you can fix this with a 'Crypto Generate RSA Modulus 2048' command, but you can't get to command line only ASDM.

Solution

On older versions of the ASDM you could generate the keypair in the Identification Certificates section (well you still can but only if you are also generating a certificate request file). So, as we are command line warriors, lets use the ASDM's command line!

Tools > Command Line Interface > Multiple Line 

conf t
crypto key generate rsa modulus 2018 noconfirm

Send > Wait a couple of minutes and try again.

REMEMBER: I'm assuming you have SSH setup correctly if not, see the following article;

Cisco ASA – Allow Remote Management

Related Articles, References, Credits, or External Links

NA

KB ID 0001117 Dtd 28/06/17

Problem

Once deployed, authentication is handled by the appliances own internal user database, in larger organisations this is a little impractical. So the ability to create an Active Directory Group, and delegate access to Firesight to members of that group is a little more versatile.

Solution

I’m making the assumption that the appliance does not already have external authentication setup at all, so I’ll cover everything from start to finish.

Newer Versions

Logon to the Appliance > System >Users > External Authentication > Add External Authentication Object

Older Versions

Logon to the Appliance > System > Local User Management > External Authentication > Create External Authentication Object.

• Authentication Method: LDAP
• Name: Chose a sensible name for the connection.
• Server Type: MS Active Directory
• Host Name/IP Address: the IP of your domain controller
• Port:389 (this is standard LDAP)

If you have a second Domain Controller enter the details here.

Note: In Active Directory, I’ve created a USER to make the connection to Active Directory with, and I’ve also created a SECURITY GROUP that my administrators will be in.

You can use the ldp.exe tool to locate and find the correct LDAP path for the user you created, (and the group because you will need that in a minute as well).

• Base DN: Usually the root of the domain, in standard LDAP format.
• Username: The LDAP path to the user you created.
• Password: For the user above.
• UI Access Attribute: sAMAccountName
• Shell Access Attribute: sAMAccountName

I’m simply having one administrative group, if you have a granular RBAC requirement, there are a number of pre-configured roles you can assign your AD groups to, (or you can create custom ones). So I’m adding the LDAP path of my administrators group to the ‘Administrator’ role.

Also set the default role to ‘Security Analyst (Read Only).

• Group Member Attribute: member.
• Username: A user in the AD Administrative group you created.
• Password: Password for the above account.

Press ‘Test’

All being well you should see a success, Press Save.

Newer Versions

Switch the ‘slider’ to enabled > Save > Save and Apply. (Now skip to All Systems below).

Older Versions

You now need to add this to the policy being applied to this appliance. System > Local System Policy > Select the policy in use  >Edit.

External Authentication

• Status: Enabled
• Default User Role: System Analyst (Read Only)

Finally change the slider button and ensure it is ticked. Save policy and exit.

Now apply the policy (green tick).

Tick the appliance > Apply.

Success.

All Systems

Now you can login with your administrative AD accounts.

You can also create a local user to match an AD account.

And get the appliance to use AD for authentication of this user.

Related Articles, References, Credits, or External Links

Original Article Written 18/12/15

KB ID 0001323 Dtd 01/07/17

Problem

I was deploying a Cisco FirePOWER user agent last week, but once setup, the agent reported that the Real-Time status for SOME of the domain controllers was permanently ‘Unavailable’. Now I know you have to be patient with these things so I went and had a coffee.

Still it refused to ‘go green’.

Solution

I addition to all the other rights and firewall rules that you normally have to check. You may have to create another ‘inbound’ firewall rule on you domain controllers.

Type = Custom > Next > All Programs > Next > Protocol type = TCP, Local Port = RPC Dynamic Ports, Remote Port = All Ports > Next.

Add the IP address of the FirePOWER Management Appliance > Next > Allow the Connection > Next.

I’m allowing for all profiles > Next > Give the rule an easy to recognise name > Finish.

Now back on the server that’s running the user agent, you should just need to restart the ‘Cisco Firepower User Agent’ service. Though I usually just reboot the server and apply the ‘cup of coffee rule’.

That Didn’t Work!

All my domain controllers, (a mixture of 2012 R2 and 2016 servers) then reported in fine, ALL EXCEPT ONE. I even tried disabling the firewall, I rechecked all the other pre-requisites and made sure it was using the default domain controller group policy, if flatly refused to ‘go-green’.

You can enable logging on the user agent, and get it to log, to the server event log, so I tried that and got;

Event ID 2317: Unable to attach to event listener {IP-Address}. Check firewall settings on AD Server. Attempted to perform an unauthorised operation.

No matter what I did, I could not get this one domain controller to report in. In the end I installed the FirePOWER agent directly on this domain controller, and added it as a new agent source in the FirePOwer Management appliance, then it reported fine.

Related Articles, References, Credits, or External Links

NA

KB ID 0001113 Dtd 03/07/17

Problem

Cisco DNS doctoring is a process that intercepts a DNS response packet as it comse back into the network, and changes the IP address in the response.

Why Would you want to do this? Well lets say you have a web server on you network, and its public IP is 111.111.111.111, and on your LAN its internal IP address is 192.168.1.100, its public DNS name, (or URL) is www.yoursite.com. When a user types www.yoursite.com into their browser, DNS will respond with the public IP of 111.111.111.111, and not the IP address thats on your LAN (192.168.1.100). The client can't send the traffic out of the firewall, 'hairpin' it though 180 degrees and send the traffic back in again. So it fails. What DNS does is look for DNS response packets that have 111.111.111.111 in then and dynamically change the ip in the packet to 192.168.1.100.

Are there any prerequisites? Only that the DNS server sending the response sends it response though the ASA, i.e. if you have your own DNS serve onsite that serves the request (without a forward lookup or a root hint). then the DNS response does not go though the ASA so it can't doctor it. This happens if you public website and your internal domain have the same name, or if your DNS server is authoritative for a domain with an IP address outside your network. To solve that problem your best bet is to setup 'Split DNS'

Windows Setting up Split DNS

How to Setup DNS Doctoring

If you read the preamble you know that the DNS response needs to go though the firewall, and the public IP that gets resolved needs to be on your network. This can be either a host on your network with a public IP, or a host in your DMZ that has a public IP (both examples are shown below).

It takes longer to explain what DNS doctoring is, than it does to actually set it up. Essentially you simply add the 'dns' keyword to the end of the static nat statement for the internal host to its public address.

Option 1 - DNS Doctoring for a host on your LAN

This is simply a one-to-one static nat with the dns keyword added onto it, so using the example above (on the left), lets take a look at our NATs.

Petes-ASA# show run nat
!
object network obj_any
 nat (inside,outside) dynamic interface
object network Obj-Static-128.65.98.44
 nat (inside,outside) static 128.65.98.44

You may have a lot more output, but this tells me theres a dynamic NAT for all network traffic (PAT everything to the outside interface dynamically). And a static translation for your internal host, that's the one we need to add the dns keyword to.

Petes-ASA# configure terminal 
Petes-ASA(config)# object network Obj-Static-128.65.98.44
Petes-ASA(config-network-object)# nat (inside,outside) static 128.65.98.44 dns
Petes-ASA(config-network-object)# exit
Petes-ASA(config)# write mem
Building configuration...
Cryptochecksum: de650019 1f1583f7 70121512 e1d093e8 

15724 bytes copied in 3.430 secs (5241 bytes/sec)
[OK]
Petes-ASA(config)# 

How Do I Set Up DNS Doctoring In The ASDM?

Testing DNS Doctoring

Heres an example of what happened before we setup DNS doctoring, (or where DNS doctoring is not working).

And once its been configured do the same and note the difference;

Option 2 - Split DNS

Windows – Setting Up Split DNS

Related Articles, References, Credits, or External Links

Original Article Written 09/12/15

KB ID 0001324 Dtd 03/07/17

Problem

A while ago my colleague was struggling to get into a vCenter server, Normal https (TCP 443) wasn’t letting him in, I knew you could manage the appliance directly, (but I couldn’t remember the port number!) He knew there was an alternate port number, but we didn’t know what it was.

Solution

vCenter Appliance (Direct) Management Port

TCP: 5480

i.e. https://{ip-or-host-name}:5480

vCenter / vSphere Management Port

TCP: 443

i.e. https://{ip-or-host-name}

vCenter / vSphere Alternative Management Port

TCP: 9443

i.e. https://{ip-or-host-name}:9443

Related Articles, References, Credits, or External Links

NA