trademarq

official blog of marquis montgomery: complete with notes, rants, reviews, tips, and tricks.

CATEGORY: Tips

Disabling SSL v3 in Splunk Web to mitigate POODLE

I’ve been poking around trying to figure out the best way to handle POODLE in Splunk for situations that warrant it (i.e. concern about untrusted networks and Splunk Web being accessible via the Internet). I have tested that the following settings in web.conf will disable SSLv3 and should be compatible with the latest version of all web browsers (except Firefox, which has some issue I haven’t been able to figure out yet):

in web.conf

[settings]

startwebserver = 1
httpport = 443
enableSplunkWebSSL = true
cipherSuite = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SSLv3

SSH WordPress Updater Support

Any self conscious security minded administrator knows better than to run an FTP server, right?

So when you disable FTP on your server, and you run WordPress, this has a side effect of forcing you to manually update WordPress (and any associated plugins) every time, instead of taking advantage of the handy auto-updater (which only supports FTP and FTP over SSL), but not SFTP.

Enter SSH SFTP Updater Support for WordPress: http://phpseclib.sourceforge.net/wordpress.htm

The Top 35 Mitigation Strategies

A colleague shared this with me today and I found it to be one of the more useful pieces of information I have come across all week. It is a document, listing 35 mitigation strategies in order of effectiveness by the Defence Signals Directorate (DSD) of the Australian Government. I found the very first paragraph on the introduction page to be especially striking:

At least 85% of the targeted cyber intrusions that the Defence Signals Directorate (DSD) responded to in 2010 could have been prevented by following the first four mitigation strategies listed in our Top 35 Mitigation Strategies:

Patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers.
Patch operating system vulnerabilities.
Minimise the number of users with administrative privileges.
Use application whitelisting to help prevent malicious software and other unapproved programs from running.

The reason I found that so interesting is because the first four strategies are rudimentary and basic in nature. Certainly every security professional is aware of those things, and generally, the average computer user is aware as well. So why is information security so difficult? Why is it tough work to keep the bad guys out? The short answer is that cyber defense is a game that has to be played perfectly, with no mistakes, and unfortunately we are all human. The best thing we can do is try our best to get it right the first time, and learn from our mistakes when they do happen.

The entire list and details can be read at the source: http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm

Splunk for Asset Discovery

In the security world, knowing what you have to secure is the very first step in protecting yourself. A good security team has constant awareness of what information assets exist in the organization, and how important each of them is in terms of risk (computed as risk = threats x vulnerabilities). In order to do something like “make sure all of your servers are secure,” you first need to know a few things about each of your servers. How many servers you have, what operating systems they are running, and which servers are actually online are all very relevant questions. In our organization, we have chosen to use Splunk (http://www.splunk.com) for all of our “operational intelligence,” and there is a very useful App called “Splunk for Asset Discovery” which we used to answer those three important questions above.

 

Splunk for Asset Discovery is a very simple tool that does the following things:
1) Creates a special index inside Splunk called “asset_discovery”
2) Provides saved searches the pull useful information from the “asset_discovery” index
3) Provides a shell script, which can be customized, to run the NMAP scanner on interval
4) Creates a scripted input for Splunk that runs as often as you set, firing off the NMAP shell script as an action and indexing NMAPs results into Splunk.
Installation of the App is as simple as going to SplunkBase and downloading the App (http://splunk-base.splunk.com/apps/25242/splunk-for-asset-discovery)or searching “Asset Discovery” from the Apps section of Splunk’s Manager.

 

Important: This App utilizes the nmap command but does not provide it, so it is necessary to install nmap and add it to your PATH if it is not installed already. Also, the nmap command works best when executed as root, so if your Splunk installation is not already running as root, be sure set “chmod +s nmap” to run nmap as root.
After installing and enabling the App, a little bit of configuration is necessary to make the system perform correctly. The Apps configuration files should be located in the “/opt/splunk/etc/apps/asset_discovery/” directory. Conforming to Splunk’s app guidelines, there is a default/ directory and a local/ directory, each containing an app.conf and an inputs.conf. Also, the shell script which actually launches NMAP is in the bin/ directory, named nmap.sh. The configuration magic happens in local/inputs.conf:

 

### SAMPLE INPUTS.CONF ###
# inputs.conf
# ping scan
[script://./bin/nmap.sh -t 192.168.0.0/16] interval = 900source = nmap
sourcetype = ping_scan
index = asset_discovery
disabled = 0

# basic port scan
[script://./bin/nmap.sh -A -O 192.168.0.0/16] interval = 14400
source = nmap
sourcetype = port_scan
index = asset_discovery
disabled = 0
##########################

 

There are a few important bits to notice about inputs.conf

 

1) There are two separate blocks, one for ping scans and one for port scans. Each has the correct settings to input the data with the right sourcetypes to interact with the App on the Web.
2) In this example, we added an IP range (192.168.0.0/16) to force NMAP to scan that particular range. By default, bin/nmap.sh is scripted to scan the IP range *OF THE SERVER THAT EXECUTES THE SCRIPT*. In our case this was undesired.
3) By default, the sample blocks come with “disabled = 1”, which prevent it from working. Change this to 0 to actually allow scanning.
4) Interval time is measured in seconds. 900 = every 15 minutes.
5) You can choose to only run ping scans, leaving port scans disabled. This will allow you to actively discover assets on your network, but it will deprive you of the Apps ability to do OS Fingerprinting, etc.
6) You can added as many blocks as necessary to scan each range of your network, simply copy and paste.
Once you have made the necessary changes to your inputs.conf, save it and restart Splunk. Splunk will automatically start running nmap.sh based on your preferences and indexes the results over time. Before long, you will have a detailed view of your environment in the Asset Discovery App within Splunk Web.

 

Splunk for Asset Discovery – http://splunk-base.splunk.com/apps/25242/splunk-for-asset-discovery
NMAP – http://nmap.org
CedarCrestone – http://www.cedarcrestone.com/

How to build the ultimate home theater PC setup

High Definition Television
Get a good one. That a whole other can of worms, I’ll direct you to Home Theater Mag if you need pointers.

Computer Hardware
One word – Mac Mini.

People who know me wont be surprised by this, but the new Mac mini is probably the best way to get things going on the CPU side of things. Yes, at $699 its a little pricey, but the small size and whisper quiet operation of the thing makes it perfect for hiding behind or under your TV.

Trust me, if you cut corners and get a $300 net-top or something (like I did initially), you will pay dearly. My experience with the Acer Aspire Revo was abysmal. It was great, until I actually tried playing any flash content or 1080p video files. I don’t care how you cut it, a home theater PC is useless if it can’t play netflix, hulu, or a 1080p video file. Even after upgrading to a $450 quad core box small enough to fit in my media center, the AMD processors (what you get for that price) STILL did not give me the performance I needed, and it was louder than my vacuum cleaner. Eventually I ponied up for the new Mac mini (the one with the HDMI port) and its been great. Buttery smooth HD playback of everything, nice and quiet. In fact, after about a month of using it, I don’t think I have ever heard more than a whisper out of the thing. Perfect.

Storage
One thing you need to consider is how your going to store your local library of content. Many of us have a huge stash of audio and video content loaded on a computer or external hard drive somewhere, and your going to want that on your home theater computer, or at least be able to access it somehow. Suggestions – get a Mac Mini with a big enough hard drive for all your content, and if you have more than 250GB of content, get a Drobo. Yes, its expensive. But it automatically backs itself up, and its expandable so you can make your drive pool bigger over time. Totally worth it.

Among other things, what I don’t recommend is you run a separate computer with all your content on it, and leave it on all day just to serve content to your Mac mini. If your like me, you have a Core i7 machine and flat panel display sucking down at least 400 watts of power. Not cool if you leave that on 24/7.

Controller
You will need a wireless mouse and keyboard. Get this, or something like it.

Software
Now there are a number of things you will need to install on this thing to get it going well.
Hulu Desktop – do I even need to explain this?
Plex – Media center software is necessary, and Plex is the one that I have settled on. Boxee and XBMC are notable choices too, however. My advice is check them all out and pick one. Then load up your huge storage library content into its libraries and have fun.
Silverlight – you’ll need this to make Netflix work.

That’s it. Enjoy.

There are no more results.