===== addresses to block =====
[[http://isc.sans.org/diary.html?storyid=5434&rss]]
85.255.112.0
85.255.127.255
===== open ports =====
lsof -i
===== port scan =====
nmap -sS -p T:0-65535 -T 4 localhost
nmap -sU -p U:0-65535 -T 4 localhost
^Ports being scanned by black.cirt.vt.edu as informed on 8-8-2007 and verified on helios 2007-8-23^^^
|21|tcp | ftp|
|22|tcp | ssh|
|23|tcp | telnet|
|25|tcp | smtp|
|80|tcp | http|
|135|tcp | msrpc|
|139|tcp | netbios-ssn|
|443|tcp | https|
|445|tcp | microsoft-ds|
|548|tcp | afpovertcp|
|1433|tcp | ms-sql|
|1521| | Oracle|
|1525| | Oracle|
|3306|tcp | mysql|
|3389|tcp | ms-term-serv (not scanned)|
|5003|tcp | FileMaker|
|5432|tcp | postgres|
|6969|tcp | bittorrent tracker|
|6881|tcp | bittorrent clients|
|6882|tcp | bittorrent clients|
|6883|tcp | bittorrent clients|
|6884|tcp | bittorrent clients|
|6885|tcp | bittorrent clients|
to listen and see who's calling:
nc -l -p 1026 -u -v
Sniffing packets:
An example tcpdump command:
tcpdump -nn -i eth0 -s 1514 -w file.cap 'tcp and port 5050'
This command will capture full ethernet packets (1500 MTU + 14 bytes for the frame header), binding to interface eth0 (-i switch), and write to a file called "file.cap". The end of the command line is the bpf, filtering packets matching tcp port 5050 (both source and destination). The -nn disables name and port resolution.
tcpdump -s 200 -XX -vvv icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
This command captures 200 bytes instead of the default 60 bytes, displays them in hex and ascii and only displays icmp packets that are not echo requests and echo replies.
Wireshark:
The biggest advantage for using tshark is that it includes a ring buffer for packet capturing. If you find yourself dropping packets with tcpdump, try using tshark with the ring buffer.
The following command runs tshark binding to interface en0 (-i) , disabling name resolution (-n), and using a ring buffer rotating files after every 10000K (-b filesize:10000) and writing to a basename of "foo" (-w foo).
tshark -i en0 -b filesize:10000 -w foo -n
You end up with files named as follows:
foo_00001_20070831000015
foo_00002_20070831000039
===== xinetd =====
edit hosts.allow
ALL: 172.16.1. : allow
ALL: 128.173. : allow
ALL: 198.82. : allow
ALL: .vt.edu : allow
ALL: .aoe.vt.edu : allow
edit hosts.deny
ALL: ALL
===== IpSec (Windows) =====
[[http://www.microsoft.com/technet/network/security/ipsecld.mspx]]
==== Sample list ====
^Role ^Direction ^From/to ^Interface IP address ^IP Protocol ^TCP/UDP port ^
|Web—regular | in | all | 131.107.1.1 | TCP | 80 |
|Web—SSL| in| all| 131.107.1.1| TCP| 443 |
|SMTP| in, out| all, all| 131.107.1.2| TCP| 25 |
|POP3—regular| in| all| 131.107.1.2| TCP| 110 |
|POP3—SSL| in| all| 131.107.1.2| TCP| 995 |
|IMAP4—regular| in| all| 131.107.1.2| TCP| 143 |
|IMAP4—SSL| in| all| 131.107.1.2| TCP| 993 |
==== Domain Controllers ====
from __AOE System Administrators Guide__
^Role ^Direction ^From/to ^Interface IP address ^IP Protocol ^TCP/UDP port ^pluto ^neptune ^
^ Simple Services ^^^^^^^^
| netbios ||||||||
| netbios-ns | | | | | 137 | | |
| netbios-dgm | | | | | 138 | | |
| netbios-ssn | | | | | 139 | | |
| SMB ||||||||
| microsoft-ds | | | | | 445 | | |
| Kerberos ||||||||
| kerberos | | | | | 88 | | |
| kpasswd5 | | | | | 464 | | |
| kerberos-adm | | | | | 749 | | |
| krb5_prop | | | | | 754 | | |
| krbupdate | | | | | 760 | | |
| LDAP ||||||||
| ldap | | | | | 389 | | |
| ldapssl | | | | | 636 | | |
| globalcatLDAP | | | | | 3268 | | |
| globalcatLDAPssl | | | | | 3269 | | |
| IDMUPassSync | | | | | 6677 | | |
| profile ||||||||
| profile | | | | | 136 | | |
| msdts ||||||||
| msdtc | | | | | 3372 | | |
| http ||||||||
| http | | | | | 80 | | |
| https | | | | | 443 | | |
| IIS | | | | | 1027 | | |
| lpd ||||||||
| http | | | | | 515 | | |
^ Remote Access Services ^^^^^^^^
| RDP ||||||||
| RDP | | | | | 3389 | | |
| telnet ||||||||
| telnet | | | | | 23 | | |
^ MS RPC ^^^^^^^^
| msrpc | | | | | 135 | | |
| msrpc_high | | | | | 593 | | |
^ Sun RPC ^^^^^^^^
| rpc bind | | | | | 111 | | |
| rpc service | | | | | 5000-5020 | | |
[root@hephaistos ~]# nmap pluto
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-07-13 06:57 EDT
Warning: Hostname pluto resolves to 2 IPs. Using 128.173.188.25.
Interesting ports on 128.173.188.25:
Not shown: 1663 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
515/tcp open printer
593/tcp open http-rpc-epmap
610/tcp open npmp-local
636/tcp open ldapssl
1025/tcp open NFS-or-IIS
1027/tcp open IIS
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-term-serv
MAC Address: 00:30:48:81:5D:9D (Supermicro Computer)
Nmap finished: 1 IP address (1 host up) scanned in 1.999 seconds
[root@hephaistos ~]# nmap neptune
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-07-13 07:06 EDT
Warning: Hostname neptune resolves to 2 IPs. Using 128.173.188.26.
Interesting ports on neptune.aoe.vt.edu (128.173.188.26):
Not shown: 1663 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
606/tcp open urm
636/tcp open ldapssl
1026/tcp open LSA-or-nterm
1027/tcp open IIS
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-term-serv
MAC Address: 00:30:48:72:86:38 (Supermicro Computer)
Nmap finished: 1 IP address (1 host up) scanned in 1.865 seconds
[root@hephaistos ~]# nmap neptune2
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-07-13 07:07 EDT
Warning: Hostname neptune2 resolves to 2 IPs. Using 128.173.188.28.
Interesting ports on neptune2.aoe.vt.edu (128.173.188.28):
Not shown: 1665 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
866/tcp open unknown
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1241/tcp open nessus
MAC Address: 00:30:48:8F:76:3B (Supermicro Computer)
Nmap finished: 1 IP address (1 host up) scanned in 1.957 seconds
==== servers ====
=== printers.aoe.vt.edu ===
Printers is running a ipsec to limit access from campus, plus, the windows firewall rules are running also. This presented a problem when accessing from wireless in that the windows firewall 'File Sharing' exception was limited to the local subnet. I placed a custom list using 128.173.0.0/255.255.0.0 and 198.82.0.0/255.255.0.0.
==== Lab Machines ====
^Role ^Direction ^From/to ^Interface IP address ^IP Protocol ^TCP/UDP port ^
| | | | | | |
==== SSSL Lab machines ====
severian
^Role ^Direction ^From/to ^Interface IP address ^IP Protocol ^TCP/UDP port ^
| gps - custom | in | campus | local-host | TCP | 30002 |
| gps - custom | in | 128.173.89.201 (euripides.ece.vt.edu) (Whitamore GPS lab) | local-host | TCP | 5002-5005 |
typhon
^Role ^Direction ^From/to ^Interface IP address ^IP Protocol ^TCP/UDP port ^
| gps - custom | in | campus | local-host | TCP | 30002 |
| gps - custom | in | 128.173.89.201 (euripides.ece.vt.edu) (Whitamore GPS lab) | local-host | TCP | 5002-5005 |
| nfs for pc-104's | in | 192.168.0.0 | 192.168.0.254 | TCP | 30002 |
==== licenseserver ====
==== licenseserver3 ====
==== licenseserver4 ====
|AGI| | 27001 |
|Autodesk| 2080 | 27000 |
|Comsol| 1718 | |
|PTC (Mathcad)| 7788 | |
|Star CCM+| 1999 | |
|Intel fortran compiler| 28518 | |
===== iptables (Linux) =====
[[http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-server-ports.html]]
/etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 198.82.0.0/16 --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.173.0.0/16 --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
chkconfig iptables on
[[http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables]]
Some kind of logging:
iptables -t filter -I INPUT -m state --state NEW -p udp -s ! aries.aoe.vt.edu -d aries.aoe.vt.edu -j LOG --log-prefix=" New_udp "
iptables -t filter -I INPUT -m state --state NEW -p tcp -s ! aries.aoe.vt.edu -d aries.aoe.vt.edu -j LOG --log-prefix=" New_tcp "
iptables -t filter -I INPUT -m state --state NEW -p udp -s ! `hostname` -d `hostname` -j LOG --log-prefix=" New_udp "
iptables -t filter -I INPUT -m state --state NEW -p tcp -s ! `hostname` -d `hostname` -j LOG --log-prefix=" New_tcp "
Save and restore:
[[iptables]]
==== licenseserver2 ====
no firewall on old license server output:
[root@licenseserver2 ~]# nmap -sS -r -p T:0-65535 localhost
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2007-08-10 10:01 EDT
Interesting ports on licenseserver2.aoe.vt.edu (127.0.0.1):
(The 65528 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
16286/tcp open unknown
27000/tcp open flexlm0
32768/tcp open unknown
32779/tcp open sometimes-rpc21
Nmap run completed -- 1 IP address (1 host up) scanned in 26.695 seconds
[root@licenseserver2 ~]# nmap -sU -r -p U:0-65535 localhost
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2007-08-10 10:00 EDT
Interesting ports on licenseserver2.aoe.vt.edu (127.0.0.1):
(The 65527 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
111/udp open|filtered rpcbind
123/udp open|filtered ntp
631/udp open|filtered unknown
948/udp open|filtered unknown
5621/udp open unknown
7931/udp open unknown
32768/udp open|filtered omad
32769/udp open|filtered unknown
60189/udp open unknown
Nmap run completed -- 1 IP address (1 host up) scanned in 28.585 seconds
Supermicro licenseserver2 with firewall on
[root@licenseserver2 ~]# nmap -sS -p T:0-65535 -T 4 localhost
Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-10 07:33 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
631/tcp open ipp
695/tcp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 3.775 seconds
[root@licenseserver2 ~]# nmap -sU -p U:0-65535 -T 4 localhost
Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-10 07:34 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 65531 closed ports
PORT STATE SERVICE
514/udp open|filtered syslog
631/udp open|filtered unknown
689/udp open|filtered unknown
692/udp open|filtered unknown
56217/udp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 6.590 seconds
^Role ^Direction ^From/to ^Interface IP address ^IP Protocol ^TCP/UDP port ^
| ami_elm (AMI Products) | in | all | licenseserver2 | UDP | 5621 |
| surfgen/lmgrd | in | all | licenseserver2 | TCP | 27000 |
| mathlm (mathematica) | in | all | licenseserver2 | TCP | 16286 |
| asi_elm (Gasp) | in | all | licenseserver2 | UDP | 7931 |
| surfgen/gridgend | in | all | licenseserver2 | TCP | 34000 |
| surfgen/ami-squeeze gridgend | in | all | licenseserver2 | TCP | 1542 |
| visualdoc/lmgrd | in | all | licenseserver2 | TCP | 27002 |
| visualdoc/lmgrd | in | all | licenseserver2 | TCP | 56708 |
Add these lines to /etc/sysconfig/iptables
# Limit ssh to campus
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 198.82.0.0/16 --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.173.0.0/16 --dport 22 -j ACCEPT
# surfgen
-A RH-Firewall-1-INPUT -p tcp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 27000 -j ACCEPT
# visualdoc
-A RH-Firewall-1-INPUT -p tcp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 27002 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 56708 -j ACCEPT
# mathlm
-A RH-Firewall-1-INPUT -p tcp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 16286 -j ACCEPT
# gridgen ?
-A RH-Firewall-1-INPUT -p tcp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 32779 -j ACCEPT
# ami_elmd
-A RH-Firewall-1-INPUT -p udp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 5621 -j ACCEPT
# asi_elmd
-A RH-Firewall-1-INPUT -p udp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 7931 -j ACCEPT
# gridgen ?
-A RH-Firewall-1-INPUT -p udp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 32769 -j ACCEPT
# surgen
-A RH-Firewall-1-INPUT -p tcp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 27000 -j ACCEPT
# visualdoc
-A RH-Firewall-1-INPUT -p tcp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 27002 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 56708 -j ACCEPT
# mathlm
-A RH-Firewall-1-INPUT -p tcp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 16286 -j ACCEPT
# gridgen ?
-A RH-Firewall-1-INPUT -p tcp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 32779 -j ACCEPT
# ami_elmd
-A RH-Firewall-1-INPUT -p udp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 5621 -j ACCEPT
# asi_elmd
-A RH-Firewall-1-INPUT -p udp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 7931 -j ACCEPT
# gridgen ?
-A RH-Firewall-1-INPUT -p udp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 32769 -j ACCEPT
==== nfs servers ====
[root@alexandria ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
# Preamble
*filter
# Input Chain
:INPUT ACCEPT [0:0]
# Forward Chain
:FORWARD ACCEPT [0:0]
# Ouptut Chain
:OUTPUT ACCEPT [0:0]
# RH-Firewall-1-INPUT chain
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
# Trusted Devices
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
# Low-level protocols
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
# Stateful outgoing connections
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.173.0.0/16 --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 198.82.0.0/16 --dport 22 -j ACCEPT
# FTP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.173.0.0/16 --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 198.82.0.0/16 --dport 21 -j ACCEPT
# Samba
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 128.173.0.0/16 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 198.82.0.0/16 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 128.173.0.0/16 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 198.82.0.0/16 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.173.0.0/16 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 198.82.0.0/16 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.173.0.0/16 --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 198.82.0.0/16 --dport 445 -j ACCEPT
# NFS Clients
-A RH-Firewall-1-INPUT -s aries.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s athena.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s bacchus.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s courier.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s dorcas.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s drotte.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s ericjohnson.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s galerkin.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s genecliff.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s halley.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s helios.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s hephaistos.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s idesk.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s lotus.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s lyapunov.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s neptune.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s orion.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s pluto.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s severian.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s sirius.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s typhon.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s valkyrie.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s vonkarman.aoe.vt.edu -j ACCEPT
# Tivoli Backup
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s tsmserver.cc.vt.edu --dport 1500 -j ACCEPT
-A RH-Firewall-1-INPUT -s tsmserver.cc.vt.edu -j ACCEPT
# ntp --not needed ??
# -A input --proto udp -s ntp-1.vt.edu ntp --jump ACCEPT
# -A input --proto udp -s ntp-2.vt.edu ntp --jump ACCEPT
# -A input --proto udp -s ntp-3.vt.edu ntp --jump ACCEPT
# -A input --proto udp -s ntp-4.vt.edu ntp --jump ACCEPT
# Postamble
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
===== Denyhosts =====
/usr/share/denyhosts/data/allowed-hosts
172.16.1.*
128.173.*
198.82.*
===== yum =====
===== Unix box setup =====
==== Kerberos ====
Realm: AOE.VT.EDU
KDC: neptune.aoe.vt.edu:88,pluto.aoe.vt.edu:88
Admin Server: neptune.aoe.vt.edu:749,pluto.aoe.vt.edu:749
[*] Use DNS to resolve hosts to realms
[*] Use DNS to locate KDCs for realms
==== NIS ====
Domain: aoe
Server: alexandria.aoe.vt.edu
===== logwatch =====
===== mount =====
/etc/fstab
s/default/tcp
===== Other =====
When adding nfs client machinges, be sure to modify these files on the servers:
/etc/sysconfig/iptables
/etc/hosts
/etc/securenets
/etc/exports
=== sshd ===
When a machine will not use the kerberos password, check
/etc/ssh/sshd_config
=== ssl certificates ===
required for gentoo remote printing administration
openssl req -new -x509 -keyout /etc/cups/ssl/server.key -out /etc/cups/ssl/server.crt -days 365 -nodes
===== DNS =====
[stedwar1@hephaistos ~]$ cat /home/sysadmin/dns/ip.txt
# Request additional IP addresses from hostmaster@cns.vt.edu
#
# Current Nameservers:
#
# 198.82.247.98 milo.cns.vt.edu
# 198.82.247.66 jeru.cns.vt.edu
#
# ------------------------------------------------------------------------------# Current IP numbers for Torgersen Hall
#
# gateway: 128.173.48.1
# subnet mask: 255.255.248.0
# broadcast: 128.173.55.255
#
# Current IP addresses assigned to AOE in this subnet:
#
# 128.173.49.[220-235]
#
# ------------------------------------------------------------------------------# Current IP numbers for Whittemore Hall
#
# gateway: 128.173.88.1
# subnet mask: 255.255.252.0
# broadcast: 128.173.91.255
#
# Current IP addresses assigned to AOE in this subnet:
#
# 128.173.90.[108-109]
#
#128.173.90.108 .aoe.vt.edu ; Sat Lab, 633C Whittemore
#
# ------------------------------------------------------------------------------# Current IP numbers for Norris Hall
#
# gateway: 128.173.
# subnet: 255.255.
# broadcast: 128.173..255
#
# Current IP addresses assigned to AOE in this subnet:
#
# 128.173.161.[30-39]
#
# ------------------------------------------------------------------------------# Current IP numbers for AOE Hancock (Simulator lab)
#
# gateway: 128.173.164.1
# subnet: 255.255.252.0
# broadcast: 128.173.167.255
#
# Current IP addresses assigned to AOE in this subnet:
#
# 128.173.167.[1-46]
#
128.173.167.1 flightsim.aoe.vt.edu ; Flight simulator control computer
128.173.167.2 dictum-factum.aoe.vt.edu ; Indigo^2
128.173.167.3 drotte.aoe.vt.edu ; SSSL Linux PC
#128.173.167.4 turbodog.aoe.vt.edu ; PCLand PIV 2.4GHz
128.173.167.5 simlab.aoe.vt.edu ; Simlab NAT 10.194.194.0/255.255.0
128.173.167.6 oetjens.aoe.vt.edu ; Bill Oetjen's computer
128.173.167.7 simlab-mac.aoe.vt.edu ; MAC G4 desktop, flight sim lab Hancock
#128.173.167.8 newcastle.aoe.vt.edu ; Power Computing Computers
#128.173.167.9 bass.aoe.vt.edu ; SGI Octane
#128.173.167.10 guinness.aoe.vt.edu ; SGI Origin 2000
#128.173.167.11 longshot.aoe.vt.edu ; Rackmounted P4 (In cockpit)
128.173.167.12 drtalos.aoe.vt.edu ; 214 Hancock
128.173.167.13 sevra.aoe.vt.edu ; STL comp in hancock
128.173.167.14 wicked-ale.aoe.vt.edu ; Dell 266
128.173.167.15 dorcas.aoe.vt.edu ; Dell, Hancock SSSL
128.173.167.16 sputnik.aoe.vt.edu ; 214 Hancock
128.173.167.17 theclas.aoe.vt.edu ; 214 Hancock
128.173.167.18 triskele.aoe.vt.edu ; 214 Hancock
128.173.167.19 typhon.aoe.vt.edu ; 214 Hancock
128.173.167.20 sssl711.aoe.vt.edu ; Space Lab Webcam
#128.173.167.21 bulldurham.aoe.vt.edu ; Bull Durham workstation; flight simulator lab
128.173.167.22 jolenta.aoe.vt.edu ; 214 Hancock
128.173.167.23 father-inire.aoe.vt.edu ; Sim Lab
128.173.167.24 sssl-biborg.aoe.vt.edu ; 214 Hancock
#
# ------------------------------------------------------------------------------# Current IP information for AOE hosts in Femoyer Hall:
# 128.173.105.1 default router
# 255.255.255.0 subnet mask
# 128.173.105.255 broadcast
#
# Current IP addresses assigned to AOE in this subnet:
#
# 128.173.105.[24-56]
#
# Current IP address assignments for AOE hosts in Femoyer Hall:
#
128.173.105.24 ritz.aoe.vt.edu ; Sun Blade 1000, 205 Femoyer
128.173.105.25 fem203.aoe.vt.edu ; Dell 8100, 203 Femoyer
128.173.105.26 structures1.aoe.vt.edu ;
128.173.105.27 twain.aoe.vt.edu ; Lab7 Workstation
128.173.105.28 nitewolf.aoe.vt.edu ; Lab7 Print Server
128.173.105.29 voltaire.aoe.vt.edu ; OptiPlex GX240, 219 Femoyer
128.173.105.30 hemingway.aoe.vt.edu ; OptiPlex GX240, 219 Femoyer
128.173.105.31 fem332.aoe.vt.edu ; Dell Optiplex GX 270, 332 Femoyer
128.173.105.32 optim.aoe.vt.edu ; Macintosh, 204 Fem
128.173.105.33 seuss.aoe.vt.edu ; OptiPlex GX240, 219 Femoyer
128.173.105.34 asterix.aoe.vt.edu ; OptiPlex GX240, 219 Femoyer
128.173.105.35 rkafafy.aoe.vt.edu ; ??, 329 Femoyer
128.173.105.36 obelix.aoe.vt.edu ; OptiPlex GX240, 219 Femoyer
128.173.105.37 vortex.aoe.vt.edu ; research, 323 Femoyer, cheol han
128.173.105.38 mikim3.aoe.vt.edu ; Dell Dimension 4000, 317 Femoyer
128.173.105.39 rkafafy2.aoe.vt.edu ; ??? Femoyer
128.173.105.40 ato.aoe.vt.edu ; 204 Femoyer
128.173.105.41 helios.aoe.vt.edu ; Patil Lab linux box
128.173.105.42 tethys.aoe.vt.edu ; 204 Femoyer
128.173.105.43 vtech-raed.aoe.vt.edu ; 329 Femoyer, Dell Dimension 4200
128.173.105.44 reynolds.aoe.vt.edu ; Sun Blade 100, 332 Femoyer
128.173.105.45 euler-fem.aoe.vt.edu ; Dell Lattitude, 219 Femoyer
128.173.105.46 davinci.aoe.vt.edu ; 219 Femoyer
128.173.105.47 patil-lab2.aoe.vt.edu ; Dell Optiplex, 211 Femoyer
128.173.105.48 prandtl.aoe.vt.edu ; 219 Femoyer
128.173.105.49 fourier.aoe.vt.edu ; SunBlade 1000 205 Femoyer
128.173.105.50 blasius.aoe.vt.edu ; 219 Femoyer
128.173.105.51 structuresprinter.aoe.vt.edu ; Print Server - 205 Femoyer
128.173.105.52 mavandyk.aoe.vt.edu ; Personal Desktop of Matthew VanDyke
128.173.105.53 femoyer-temp.aoe.vt.edu ; Temporary IP for machine-setups in Femoyer
#128.173.105.54 gtech2.aoe.vt.edu ; 330-332 Femoyer, DELL 3GHZ
128.173.105.55 patil-lab1.aoe.vt.edu ; Dell Optiplex, 201 Femoyer
128.173.105.56 nautilus.aoe.vt.edu ; Dr. Neu, Research, Femoyer
#The following ip's have been returned to cns:
#128.173.105.57 cheshirecat.aoe.vt.edu ; 319 Femoyer (Linux)
#128.173.105.58 cwoolsey-grad.aoe.vt.edu ; 327 Femoyer
#128.173.105.59 ssadek.aoe.vt.edu ; 321 Femoyer
#128.173.105.60 wright.aoe.vt.edu ; 219 Femoyer
#128.173.105.61 eyes.aoe.vt.edu ; 323 Femoyer
#128.173.105.62 superman.aoe.vt.edu ; 323 Femoyer
#128.173.105.63 astarte.aoe.vt.edu ; Femoyer Mostafa M. Abdalla
# ------------------------------------------------------------------------------# Current IP information for AOE hosts in Ware Lab:
#
# 128.173.116.1 default router
# 255.255.252.0 subnet mask
# 128.173.119.255 broadcast
#
# Current IP addresses assigned to AOE in this subnet:
#
# 128.173.116.[185-196]
#
# Specific IP address assignments for AOE hosts in Ware Lab:
#
128.173.116.185 warelab.aoe.vt.edu ; Ware Lab PC for HokieSat
#
# ------------------------------------------------------------------------------# Current IP information for AOE hosts in Randolph Hall:
#
# 128.173.188.1 default router
# 255.255.252.0 subnet mask
# 128.173.191.255 broadcast
#
# Current IP addresses assigned to AOE in this subnet:
#
# 128.173.188.[24-99]
# 128.173.189.[1-23]
# 128.173.191.[1-75]
#
# Specific IP address assignments for AOE hosts in Randolph Hall:
#
128.173.188.24 artemis.aoe.vt.edu ; Syslog, NUT, and Nessus
128.173.188.25 pluto.aoe.vt.edu ; Dell PowerEdge 2400, 313B Randolph
128.173.188.26 neptune.aoe.vt.edu ; Dell OptiPlex GX1, 313B Randolph
128.173.188.27 athena.aoe.vt.edu ; secondary file server, 313 Randolph Hall
128.173.188.28 temporary.aoe.vt.edu ; Used for testing machines
128.173.188.29 frontdesk.aoe.vt.edu ; Front Desk NAT
128.173.188.30 jowang.aoe.vt.edu ; Apple G4, 217(?) Randolph
128.173.188.31 naira.aoe.vt.edu ; Naira Hovakimyan Desktop Randolph 224B
128.173.188.32 shmlab.aoe.vt.edu ; Randolph 33A TP03B - Hallauer
128.173.188.33 an1003.aoe.vt.edu ; 100 Annex, Dr. Simpson's group128.173.188.34 lotus.aoe.vt.edu ; Linux Workstation, Randolph 1
128.173.188.35 gl-mercury.aoe.vt.edu ; Dell Dimension XPS, 315 Randolph
128.173.188.36 ericjohnson.aoe.vt.edu ; 313 Randolph Hall
128.173.188.37 schaub-dt.aoe.vt.edu ; Dr. Schaub Desktop, 2XX Randolph
128.173.188.38 peggy.aoe.vt.edu ; Sue Teal desktop
128.173.188.39 idesk.aoe.vt.edu ; Dell 670n, 315 Randolph
128.173.188.40 nsl01.aoe.vt.edu ; Dell Dimension 4700, 1A Randolph
128.173.188.41 patali.aoe.vt.edu ; Dell Workstation, flat panel, 213D Randolph
128.173.188.42 licenseserver4.aoe.vt.edu ; Server Rack, 315 Randolph
128.173.188.43 alexandria.aoe.vt.edu ; Main file server, 313 Randolph128.173.188.44 marchman.aoe.vt.edu ; Dell, Marchman's Office
128.173.188.45 orion.aoe.vt.edu ; SGI Power Challenge, 313B Randolph
128.173.188.46 simpson.aoe.vt.edu ; Dell 8300, 218 Randolph
128.173.188.47 hyperx.aoe.vt.edu ; Gateway, basement Randolph
128.173.188.48 foushee.aoe.vt.edu ; Power Macintosh, 215 Randolph
128.173.188.49 williams.aoe.vt.edu ; Dell Something, 215 Randolph
128.173.188.50 hephaistos.aoe.vt.edu ; Mac Mini 313 Randolph
128.173.188.51 office-mac.aoe.vt.edu ; Dr. Chris Hall's laptop
128.173.188.52 aoeshop.aoe.vt.edu ; Dell Dimension XPS R450, Randolph basement
128.173.188.53 workroombw.aoe.vt.edu ; Workroom printer/copier
128.173.188.54 lyapunov.aoe.vt.edu ; Leigh McCue number cruncher 226 Randolph
128.173.188.55 simpson-old.aoe.vt.edu ; Gateway E-3000, ??? Randolph
128.173.188.56 euler-ran.aoe.vt.edu ; Dell Latitude Laptop
128.173.188.57 nsl02.aoe.vt.edu ; Dell Dimension 4700, 1A Randolph
128.173.188.58 designjet.aoe.vt.edu ; DesignJet 450C, 217 Randolph
128.173.188.59 brown5.aoe.vt.edu ; Dell Optiplex, 311 Randolph
128.173.188.60 sirius.aoe.vt.edu ; Macintosh G3, 315 Randolph
128.173.188.61 godzilla.aoe.vt.edu ; Dell XPS R450, Basement
128.173.188.62 hallauer.aoe.vt.edu ; Dell Optiplex, 213B Randolph
128.173.188.63 daemos.aoe.vt.edu ; Lubos workstation, 315 Randolph
128.173.188.64 galerkin.aoe.vt.edu ; Dell Precision 380, Scientific Linux 4
128.173.188.65 shosder.aoe.vt.edu ; Serhat Hosder Laptop
128.173.188.66 workroomcolor.aoe.vt.edu ; Workroom printer/copier
128.173.188.67 kolmogorov.aoe.vt.edu ; PCLand, 26 Randolph, Dr. Simpson's Group
128.173.188.68 vonkarman.aoe.vt.edu ; Gateway 1ghz Athlon, Scientific Linux 4
128.173.188.69 boetjens.aoe.vt.edu ; Gateway, Bill Oetjens' office
128.173.188.70 blackbird.aoe.vt.edu ; PC Land P3 550, Wind tunnel PC128.173.188.71 hp4050.aoe.vt.edu ; HP LaserJet 4050N, Design Lab
128.173.188.72 dl-sayer.aoe.vt.edu ; Dell P4,3Ghz Workstation, 217 Randolph
128.173.188.73 lab7-rts.aoe.vt.edu ; Edgar Orsi
128.173.188.74 kelowe.aoe.vt.edu ; 209 Randolph Annex
128.173.188.75 dl-shepard.aoe.vt.edu ; Dell P4, 3Ghz Workstation, 217 Randolph
128.173.188.76 skinf.aoe.vt.edu ; Custom Built, ? Rand. Annex
128.173.188.77 courier.aoe.vt.edu ; Departmental mail server, 313 Randolph
128.173.188.78 agave.aoe.vt.edu ; Dell Dimension XPS, 331A Randolph
128.173.188.79 dl-schirra.aoe.vt.edu ; Dell P4,3Ghz Workstation, 217 Randolph
128.173.188.80 reception.aoe.vt.edu ; 215 Randolph
128.173.188.81 melnikov.aoe.vt.edu ; McCue Linux workstation
128.173.188.82 hydrolab2.aoe.vt.edu ; Gateway P233 (Roaming)
128.173.188.83 rwalters.aoe.vt.edu ; Apple G4 Laptop, 215 Randolph
128.173.188.84 nslnat.aoe.vt.edu ; NSL NAT, Randolph 01
128.173.188.85 malrubius.aoe.vt.edu ; Gateway, 311 Randolph
128.173.188.86 gwibo.aoe.vt.edu ; In Randolph Annex
128.173.188.87 bacchus.aoe.vt.edu ; Web Server, 313 Randolph
128.173.188.88 nsl03.aoe.vt.edu ; Woolsey Lab
#128.173.188.89 distance2.aoe.vt.edu ;
128.173.188.90 licenseserver.aoe.vt.edu ; Gateway P200, 315 Randolph
128.173.188.91 phoebe.aoe.vt.edu ; Graduate Lab Workstation -- PPC Linux
128.173.188.92 hugheslt.aoe.vt.edu ; Pentium laptop, 224C Randolph
128.173.188.93 griffith.aoe.vt.edu ; 24 Randolph
128.173.188.94 aries.aoe.vt.edu ; Dual Athlon rackmount Linux workhorse
128.173.188.95 atlantis01.aoe.vt.edu ; Macintosh G5 Cluster Node
128.173.188.96 atlantis02.aoe.vt.edu ; Macintosh G5 Cluster Node
128.173.188.97 atlantis03.aoe.vt.edu ; Macintosh G5 Cluster Node
128.173.188.98 atlantis04.aoe.vt.edu ; Macintosh G5 Cluster Node
128.173.188.99 cnc.aoe.vt.edu ; Randolph 15 Shop CNC Computer
#128.173.189.1 oberon.aoe.vt.edu ;
128.173.189.2 michigan.aoe.vt.edu ; Sun UltraSparc 10, Yong Cao
128.173.189.3 neu.aoe.vt.edu ; Dell Optiplex GX110, 215 Randolph
128.173.189.4 halley.aoe.vt.edu ; Power Mac running Linux
128.173.189.5 yko.aoe.vt.edu ; PowerMac 9600/200, Andy Ko's Office
128.173.189.6 nsl-lpr.aoe.vt.edu ; Woolsey Lab Printer
128.173.189.7 jsajdak.aoe.vt.edu ; 103 Randolph Annex
128.173.189.8 brown4.aoe.vt.edu ; Dr. Brown's Graduate Student
128.173.189.9 johnson.aoe.vt.edu ; PowerMac 7300/200, Randolph 224B
128.173.189.10 severa.aoe.vt.edu ; Dell Flat Panel STL, Randolph 311A
128.173.189.11 scooby.aoe.vt.edu ; Dell Optiplex, Randolph 26
128.173.189.12 shaggy.aoe.vt.edu ; Dell Optiplex, Randolph 26
128.173.189.13 sandbox.aoe.vt.edu ; Sysadmin NAT, Randolph 313
128.173.189.14 velma.aoe.vt.edu ; Dell Optiplex, Randolph 26
128.173.189.15 daphne.aoe.vt.edu ; Dell Optiplex, Randolph 26
128.173.189.16 ldvdaq.aoe.vt.edu ; Used in bllab, 015 Randolph
128.173.189.17 aoe17.aoe.vt.edu ; Unknown - Some newer Apple
128.173.189.18 licenseserver3.aoe.vt.edu ; License server (server rack)
#128.173.189.19 netmagic1.aoe.vt.edu ; OpenBSD Firewall for GL and servers.
128.173.189.20 dl-sprucegoose.aoe.vt.edu ; Flat panel Dell, design lab extension Randolph
128.173.189.21 devenport-dock.aoe.vt.edu ; Dell Insipron 8200, 224E Randolph
128.173.189.22 lwoffice.aoe.vt.edu ; HP JetDirect External, 215 Randolph
128.173.189.23 devenport-lt2.aoe.vt.edu ; Dell Inspiron 8200
128.173.191.1 genecliff.aoe.vt.edu ; SunFire 280R, 313 Randolph
#128.173.191.2 alexandria-nfs.aoe.vt.edu ; Main file server, 313 Randolph128.173.191.3 brown3.aoe.vt.edu ; GW2K E-3300, Randolph 311B
128.173.191.4 fred.aoe.vt.edu ; Dell Optiplex, Randolph 26
128.173.191.5 rhea.aoe.vt.edu ; GW2K E-3000, Randolph 217A
128.173.191.6 scrappy.aoe.vt.edu ; Dell Optiplex, Randolph 26
128.173.191.7 dl-valdez.aoe.vt.edu ; Design Lab P4P800 blue Asus Pentium 4 computer
128.173.191.8 tweedy.aoe.vt.edu ; 26 Randolph
128.173.191.9 severian.aoe.vt.edu ; Dual Athlan, 313 Randolph
128.173.191.10 falcon.aoe.vt.edu ; P133 Gateway, 109 Randolph Annex
128.173.191.11 gstaffor.aoe.vt.edu ; IBM P133, Basement
128.173.191.12 distance1.aoe.vt.edu ; Supermicro Rackmount, 313 Randolph
128.173.191.13 distance2.aoe.vt.edu ; Supermicro Rackmount, 313 Randolph
128.173.191.14 brown.aoe.vt.edu ; GW2K PII 233, Rand 311B
128.173.191.15 cliff-lt.aoe.vt.edu ; Dr. Cliff's Apple G3 Laptop
128.173.191.16 chall2.aoe.vt.edu ; Dell Optiplex 200, Randolph 228
128.173.191.17 kutta.aoe.vt.edu ; Fluid Lab
128.173.191.18 morr.aoe.vt.edu ; 108 Randolph Annex
128.173.191.19 msimbula.aoe.vt.edu ; 108 Randolph Annex
128.173.191.20 hyekim.aoe.vt.edu ; Gateway A1200, Rand 219C
128.173.191.21 stedwar1.aoe.vt.edu ; Supersonic Lab, Randolph
128.173.191.22 rstillin.aoe.vt.edu ; 108 Randolph Annex
128.173.191.23 brown2.aoe.vt.edu ; Something, Randolph 311B
128.173.191.24 george2.aoe.vt.edu ; Dell, 100 Randolph Annex
128.173.191.25 grossman-lt.aoe.vt.edu ; MacOS Apple G4 Laptop(Grossman)
128.173.191.26 byun-lt.aoe.vt.edu ; Dr. Byun's laptop(exp.01/01/2002)
128.173.191.27 cwoolsey-lt.aoe.vt.edu ; IBM Laptop, 217D Randolph
128.173.191.28 smissoum.aoe.vt.edu ; 217? Randolph Hall
128.173.191.29 hughes.aoe.vt.edu ; IBM 350-P133, Old Conf Room
128.173.191.30 annexprinter.aoe.vt.edu ; Print server in AOE Annex
128.173.191.31 confroom.aoe.vt.edu ; Dell Optiplex, Conference Room,Rand
128.173.191.32 cascade.aoe.vt.edu ; Randolph Annex, 103
128.173.191.33 dl-osprey.aoe.vt.edu ; Dell Optiplex GX240, 217 Randolph
128.173.191.34 jbenning.aoe.vt.edu ; Jeremy Bennington's, 26 Randolph
128.173.191.35 dl-chernobyl.aoe.vt.edu ; Dell Optiplex GX240, 217 Randolph
128.173.191.36 dl-bhopal.aoe.vt.edu ; Dell Optiplex GX240, 217 Randolph
128.173.191.37 bllab.aoe.vt.edu ; Boundary Layer Lab, Randolph
128.173.191.38 hp2300.aoe.vt.edu ; 315 Randolph Hall
128.173.191.39 gl-newton.aoe.vt.edu ; Dell Optiplex GX240, 315 Randolph
128.173.191.40 kapaniaimac.aoe.vt.edu ; Temporary Setup Account, 331 Randolph
128.173.191.41 gl-gauss.aoe.vt.edu ; Dell Optiplex GX240, 315 Randolph
128.173.191.42 kapania.aoe.vt.edu ; Apple G4, 213E Randolph
#128.173.191.43 hps.aoe.vt.edu ; Virtual Web Server for HPS
128.173.191.44 gl-euclid.aoe.vt.edu ; Dell Optiplex GX240, 315 Randolph
128.173.191.45 kimhm.aoe.vt.edu ; --
128.173.191.46 nsl04.aoe.vt.edu ; dell dimension 4700, 1A Randolph Hall
128.173.191.47 dl-polarlander.aoe.vt.edu ; Gateway A1000, 217 Randolph
128.173.191.48 dl-maine.aoe.vt.edu ; Gateway A1000, 217 Randolph
128.173.191.49 dl-titanic.aoe.vt.edu ; Gateway A1000, 217 Randolph
128.173.191.50 dl-akron.aoe.vt.edu ; Gateway A1000, 217 Randolph
128.173.191.51 dl-challenger.aoe.vt.edu ; Gateway A1000, 217 Randolph
128.173.191.52 dl-apollo1.aoe.vt.edu ; Gateway A1000, 217 Randolph
128.173.191.53 gateway2.aoe.vt.edu ; Gateway A1000, 217 Randolph
128.173.191.54 dl-lusitania.aoe.vt.edu ; Gateway A1000, 217 Randolph
128.173.191.55 dl-hindenberg.aoe.vt.edu ; Gateway A1000, 217 Randolph
128.173.191.56 vaio.aoe.vt.edu ; Sony VAIO Laptop
128.173.191.57 dl-columbia.aoe.vt.edu ; Flat panel Dell, Design lab extension Randolph
128.173.191.58 licenseserver2.aoe.vt.edu ; The other License Server (runs Linux)
128.173.191.59 george-lt.aoe.vt.edu ; George's Sony Laptop, 100 Randolph Annex
128.173.191.60 gl-mimas.aoe.vt.edu ; Gateway A1000, 315 Randolph
128.173.191.61 gl-encaladus.aoe.vt.edu ; Gateway A1000, 315 Randolph
128.173.191.62 gl-hyperion.aoe.vt.edu ; Gateway A1000, 315 Randolph
128.173.191.63 gl-iapetus.aoe.vt.edu ; Gateway A1000, 315 Randolph
128.173.191.64 gl-phoebe.aoe.vt.edu ; Gateway A1000, 315 Randolph
128.173.191.65 cwoolsey-dt.aoe.vt.edu ; Dell ?, 217D Randolph
128.173.191.66 asang.aoe.vt.edu ; Randolph Annex 107
128.173.191.67 maccdr.aoe.vt.edu ; Power Macintosh G3, 311 Randolph
128.173.191.68 berryman.aoe.vt.edu ; John Berryman - 311A Randolph
128.173.191.69 jschetz-lt.aoe.vt.edu ; Dell Latitude, 219D Randolph
128.173.191.70 valkyrie.aoe.vt.edu ; Sun Blade 1000, 217C Randolph
128.173.191.71 hp4550.aoe.vt.edu ; HP 4550, 215 Randolph Hall
128.173.191.72 granlund.aoe.vt.edu ; 109 Randolph Annex
#128.173.191.74 loughboro.aoe.vt.edu ; Temporary account for loughboro visiting group (expires 4/4/04)
#128.173.191.75 smullani.aoe.vt.edu ; Graduate lab randolph, gateway 31XX
#
#
#
# ------------------------------------------------------------------------------#
#
#Names for hosts:
#
#Uranus
# umbriel.aoe.vt.edu
# titania.aoe.vt.edu
==== Security ====
- Describe the logging system including syslog, logwatch, epilog and how they all relate with Artemis.
- yp broken on email and sudo. Possibly still using NIS?
- Changing ssh ports for
* licenseserver2
* courier
* athena
* possibly alexandria
* any others
- email setting for DenyHosts from atlantis01
- firewall for
* athena
* artemis
* typhon
* genecliff
* atlantis
* licenseserver2
* killians
- iptables file to edit
* to add reporting
- DenyHosts for enterprise (or iptables)
* tcp_wrappers - ssh does not respect hosts.deny
- hosts.allow still locks me out sometimes
- Turn off: (licenseserver2)
* sendmail accepting connections?
* ipp
===== Endpoint =====
* 'firewalled' notice in network connections is not listed
* Does not automatically select Outlook scanning.
===== sputnik.lib.vt.edu attack =====
* noticed log entries on 12/19/2007 after SANS class of authentication attempts from 128.173.125.230, SPUTNIK.
* HC++ querey on IP gives:
Domain Name lib.vt.edu
Primary Contact Mike Linkous
* sent Mike an email and he proply left a phone message stating the machine had to be rebuilt.
ntsyslog from these:
* Failure audits range 12/18/2007 10:07:19PM until 12/19/2007 8:37:04 AM on Licenseserver3
* Failure audits range 12/28/2007 8:49:14PM until 12/19/2007 6:41:15 AM on Licenseserver4
* sphinx
* licenseserver
Other Machines attacked also
* dl-titanic
* Others?
Not attacked:
* dl-maine
===== ramblings and port stuff =====
At Caltech, they have a guest SSID that gives you an RFC 1918 address behind NAT. You have to read a ToS and agree to be nice. Additionally, they rate limit each client to ~768 kbps and only pass
tcp/22 (ssh),
tcp/80 (http),
tcp/443 (https),
udp/1701 and tcp/1701 (l2tp), and
udp/1723 and tcp/1723 (pptp)
through to the outside world. Despite those restrictions, I was able to browse the web, ssh to my machines, and use the VPN for everything else during my stay.
===== ubuntu security =====
[[http://www.itsecurity.com/features/ubuntu-secure-install-resource/]]
==== protect grub ====
[[http://ubuntuforums.org/showthread.php?t=7353]]
==== brute force defense ====
[[http://bsdly.blogspot.com/2009/04/slow-brute-zombies-are-back.html]]
one post listed this technique:
DELETED ACCOUNT said...
Since I can enumerate ahead of time the list of sources of acceptable SSH connections, I use TCP wrappers to help the zombies out:
In /etc/hosts.allow (extended TCP wrapper syntax):
sshd : validnet/validmask \
127.0.0.0/255.0.0.0 \
: ALLOW
sshd : ALL : banners /var/db/banners \
: twist /bin/sleep 60
The other component:
% cat /var/db/banners/sshd
SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
Legitimate connections from within the IP space defined by validnet/validmask are passed to sshd normally. Everything else gets something that looks valid, the TCP connection is held open for up to 60 seconds, and then it closes. It's analogous to PF-spamd's blacklisting behavior.
===== severian droppped packets =====
From 10.0.50.70 - 83842 packets to udp(47624,47624,47624,47624,47624,47624,47624,47624,47624,47624,47624)
From 10.0.50.72 - 1813 packets to udp(47624,47624,47624,47624)
From 10.0.50.74 - 456 packets to udp(47624,47624,47624,47624)
May 13 09:17:12 severian kernel: FIREWALL-DROPPED IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:10:18:2c:2c:05:08:00 SRC=10.0.50.70 DST=255.255.255.255 LEN=80 TOS=0x00 PREC=0x00 TTL=128 ID=27364 PROTO=UDP SPT=3403 DPT=47624 LEN=60
10182c2c0508
10182c2c1708
10182c3a2f08
Looks like local network udp communication from vtcadlab.
===== Port 2343 udp, National Instruments Lookout =====
Maybe:
[[http://zone.ni.com/devzone/cda/tut/p/id/3681]]
===== remote ssh wireshark =====
http://wiki.wireshark.org/CaptureSetup/Pipes
wireshark -k -i <( ssh -l root IP-of-probe /usr/bin/tshark -i eth0 -w - port 53 )
===== Browser Check =====
http://browsercheck.qualys.com
===== Find_SSNs =====
to run Find_SSNs on alexandria2:
python Find_SSNs.pyw -p /export/facultystaff3/stedwar1 -o ./ -t html -a
python Find_SSNs.pyw -?
Proper usage on Linux, Unix and Macs:
NoGUI: python Find_SSNs.pyw -p /search/folder -o /output/folder -t html -a
GUI: python Find_SSNs.pyw
Proper usage on Windows:
NoGUI: Find_SSNs.exe -p c:/search/folder -o c:/output/folder -t html -a
GUI: Find_SSNs.exe
Notes:
-p The folder to search.
-o The folder to write reports to.
-t may be html or csv
-a may be replaced by -s (search for SSNs only) or -c (search for CCNs only)
sed -i 's/file\:\/\/\/\/export/file\:\/\/\/\/home/g' Find_SSNs.html
sed -i 's/"Open the file">\/export/"Open the file">\/home/g' Find_SSNs.html
this command line looks for previoiusly found ssns in cdhall-ssns.txt in his FindSSNs.txt
sed 's/-//g' cdhall-ssns.txt |grep -v ^$ |while read i ; do grep $i diskhogs/cdhall/Find_SSNs.txt; done
This line looks in all the Find_SSNs.brief.txt file and counts
find . -iname Find_SSNs.brief.txt -exec wc -l {} \; |grep -v ^0|sort -n
less search for ssn pattern
/[0-9]{3}[- ][0-9]{2}[- ][0-9]{4}